Convene: Compliance with the SAMA Cyber Security Framework

Considered prescriptive and comprehensive by nature, the SAMA Cyber Security Framework structure spans four major domains, which are:

• Leadership and Governance
• Risk Management and Compliance
• Operations and Technology
• Third-Party Considerations

Each of these domains has multiple subdomains that focus on a specific cybersecurity topic, such as regulatory compliance, cyber security audit, infrastructure security, cyber security strategy and policy, and so on.

Convene, the leading board management software, values great security intelligence and understands the complexity of mandatory SAMA CSF compliances. This solution enables data protection inside and outside of organisations by controlling document access, permissions, and more. 

With Convene, financial institutions can create and implement a data-centric cyber security approach to minimising risks to your information assets. Read on to know more about the major CSF domains and how Convene supports SAMA Framework compliance for Section 3.2 and Section 3.3 using security automation technologies and controls.

3.1 Cyber Security Leadership and Governance

This section defines the responsibility of the Member Organisations board for implementing cyber security governance and managing risks effectively. Responsibilities can be delegated to senior management or the cyber security committee. The control requirements for this domain mainly revolve around the Member Organisations’ structure and overall security architecture. 

Member Organisations can articulate clear roles and responsibilities for personnel in charge of cybersecurity management, or hire a chief information security officer (CISO) to work with. A CISO can help routinely brief the senior management and continuously reevaluate the organisation’s security architecture and cybersecurity maturity. 

3.2 Cyber Security Risk Management and Compliance

This control domain encompasses the enterprise’s risk management process and regular review of cybersecurity risks affecting information assets, including business processes and data, applications, infrastructure components, and third-party relationships. 

Convene is not applicable or directly related to these subdomains and controls: 

• 3.2.1 Cyber Security Risk Management — Specifically refers to the internal processes of the Member Organisation in terms of risk management. 
• 3.2.2 Regulatory Compliance — Refers to cyber security internal processes for ensuring compliance with regulations.
• 3.2.3 Compliance with (inter)national industry standards — Refers to compliance with the three industry standards, namely: PCI-DSS, EMV technical standards, and SWIFT Customer Security Controls Framework. 

Convene is relevant to these subdomains and controls:

• 3.2.4 Cyber Security Review — This subdomain requires periodic cyber security review on information assets, which Convene can highly assist with. Convene can support activities such as sharing penetration testing results, and classifying and creating remediation plans for discovered vulnerabilities.
• 3.2.5 Cyber Security Audits — This requires Member Organisations to conduct independent and regular cyber security audits in line with the SAMA CSF and accepted auditing standards. Convene has been audited against the SOC-2 framework for Security and Availability and holds several certifications like ISO-9001, ISO-14001, and ISO-27001, and has been appraised as a CMMI Level 5 company.

3.3 Cyber Security Operations and Technology

This requires Member Organisations to safeguard their technologies, information assets, and support processes, which are utilised in day-to-day operations.

Convene is not applicable or directly related to these subdomains and controls: 

• 3.3.1 Human Resources — Implementing cyber security requirements into the human resources processes, such as background checks and post-employment activities. 
• 3.3.2 Physical Security — Securing physical facilities that hold sensitive information assets, including but not limited to data centres and rooms, surveillance, and transport and secure disposal.
• 3.3.3 Asset Management — Refers to the asset management process that involves custodianship of information assets, discovery of new assets, and information asset classification and labelling. 
• 3.3.4 Cyber Security Architecture — Achieving strategic and consistent cyber security architecture based on business requirements, which also involves periodic review and employing cyber security architects. 
• 3.3.7 Change Management — Refers to the change management process for all information assets that involve assessment, classification,  and security testing of internal processes and applications. 
• 3.3.8 Infrastructure Security — Covers the overall cyber security controls within the organisation’s infrastructure, and all instances of the infrastructure itself, such as firewalls, gateway servers, and external connections.
• 3.3.10 Bring Your Own Device (BYOD) — Involves the implementation of cyber security standards on personal devices allowed for business purposes, from regulating corporate mobile applications to using mobile device management.

Read more information about the other subdomains and controls that are not relevant to Convene here.

Convene applies to these subdomains and controls:

• 3.3.5 Identity and Access Management — This refers to access restriction on information assets that involve multi-factor authentication (MFA) and user access management, often supported by automation. Convene readily features MFA and system automation, and even allows configuration of document access down to file level, preventing unintended parties from accessing critical systems and profiles.
• 3.3.6 Application Security — This involves the application of cyber security standards for application systems and implementation of controls such as access and identity management. Convene allows users to have two distinct system roles (general users or system administrator) and requires re-authentication after inactivity to avoid unauthorised access. For periodic cyber security compliance reviews, Convene can conduct regular vulnerability scans and internal and external penetration tests.
• 3.3.9 Cryptography — This entails the use of cryptographic solutions for ensuring the integrity of critical information assets. Following industry best practices for cryptographic processes, Convene guarantees complete data protection through symmetric encryption with AES-256. A dedicated unique document key is provided to each asset. For cryptographic hashing, Convene can also utilise Secure Hash (SHA-2) algorithms whenever necessary.
• 3.3.11 Secure Disposal of Information Assets — This refers to the secure disposal of information assets that are no longer required in line with the legal and regulatory requirements. Following secure deletion procedures, information assets in Convene are deleted using a crypto shredding approach. Documents will not be decrypted upon erasure, thus making them undecipherable or possible for recreation. 

3.4 Third Party Cyber Security

This involves the implementation of cyber security protection when dealing with third parties, such as information services providers, suppliers and vendors, outsourcing providers, governmental agencies, and so on. 

As per best practice, it is important to thoroughly evaluate partnerships with such providers. You can prepare an inventory list of all third-party providers and grade them based on their risk impact. Creating a third-party incident response plan that includes a list of risks and threats most relevant to your organisation. Doing so can prevent cyber risks.

Get Started with Convene

Designed as a digital board management software, Convene is one of the leading cyber security solutions in KSA and other GCC countries. It supports guaranteed compliance with the SAMA CSF, helping companies achieve complete data protection and accurate security audits. If you have more questions about how Convene can help you maintain CSF compliance, don’t hesitate to reach out to our friendly team today!