NCSI FULFILMENT PERCENTAGE
Version 1 Oct 2022
GENERAL CYBER SECURITY INDICATORS
-
1. Cyber security policy development 4/7 57%47 57%
-
1.1. Cyber security policy unit 333
Requirements
CriteriaA central government entity (ministry or equivalent) has a specialised official or unit responsible for national cyber security policy development.
Accepted referencesOfficial website or legal act
Evidence
https://www.nca.gov.sa/en/index.html
National Cybersecurity Authority
https://www.ncar.gov.sa/Documents/Details?Id=90MqUsSPf4vivd%2B6siDTEA%3D%3D
Royal Decree Establishing NCA
Article 4, Clause 2, Page 4:
“The duties and responsibilities of the Authority shall include:
2. Design, circulate and update cybersecurity policies, governance models, frameworks, standards, controls, guidelines, and monitor compliance with the relevant authorities; “
-
1.2. Cyber security policy coordination format 002
Requirements
CriteriaThe central government has a committee, council, working group, etc. for national-level cyber security policy coordination.
Accepted referencesOfficial website or legal act
Evidence
-
1.3. Cyber security strategy 111
Requirements
CriteriaThe central government has established a national-level cyber security strategy or other equivalent document.
Accepted referencesValid official document
Evidence
https://www.nca.gov.sa/en/pages/strategic.html
The NCA has a comprehensive national level mandate, Article 4 section 1 states that “The Authority’s powers and functions shall include: developing the national strategy for cyber security, supervising its implementation, and proposing updates thereto”
Hence, The authority has developed and designed national cybersecurity strategy starting from 2018 with the support of local and global experts in cybersecurity and in consultation with all relevant stakeholders.
-
1.4. Cyber security strategy implementation plan 001
Requirements
CriteriaThe central government has established an implementation plan to the national-level cyber security strategy or other equivalent document.
Accepted referencesValid official document or its enforcement act
Evidence
-
-
2. Cyber threat analysis and information 5/5 100%55 100%
-
2.1. Cyber threats analysis unit 333
Requirements
CriteriaA central government entity has a national-level unit that is specialised in national strategic cyber threat situation analysis.
Accepted referencesOfficial website or legal act
Evidence
https://ega.ee/wp-content/uploads/2019/03/1.png
National Cybersecurity Center (NCSC) which is currently a part of NCA.
Official link: https://bit.ly/2EEdltT (might not be accessible from outside Saudi Arabia)
-
2.2. Public cyber threat reports are published annually 111
Requirements
CriteriaThe public part of the national cyber threat situation analysis is published at least once a year.
Accepted referencesOfficial public report
Evidence
https://ega.ee/wp-content/uploads/2019/03/2.png
National Cybersecurity Center (NCSC) publishes reports on national cyber threats.
Official link: https://bit.ly/2T6UBHf (might not be accessible from outside Saudi Arabia)
-
2.3. Cyber safety and security website 111
Requirements
CriteriaPublic authorities provide at least one cyber safety and security website for cyber security and ICT professionals, and regular users.
Accepted referencesWebsite
Evidence
http://www.citc.gov.sa/ar/mediacenter/awarenesscampaigns/Pages/default.aspx
CITC has awareness content in its website for general ICT users. Which includes the following topics:
A. Digital literacy
1. Travel and tourism instructions.
- Roaming service.
- Search and rescue service.
…..etc
2. The internet.
- How to get the best WiFi service in your house.
- Internet filtering.
… etc
B. User safety and security
1. Family and children
- Parents tips for a kids-friendly internet.
- Children tips for a safe internet.
- Activating IOS parental controls.
- Electronic bullying.
……. Etc
2. Digital safety
- Anti-cybercrimes law.
- Phishing.
- Spoofing.
… etc.
C. User rights
- User right to suspend services.
- User right to request cancellation of services.
…. etc.
-
-
3. Education and professional development 9/9 100%99 100%
-
3.1. Cyber safety competencies in primary or secondary education 111
Requirements
CriteriaPrimary or secondary education curricula include cyber safety / computer safety competences.
Accepted referencesOfficial curriculum or official report
Evidence
Study plan for Middle school shows that taking one computer and information technology course “الحاسب الآلي” per year is compulsory to pass each grade.
Study plan for High school shows that taking two computer and information technology courses “الحاسب الآلي” per year is compulsory to pass each grade.
https://iencontent.t4edu.com/books/20181007133649036-GE-ME-K07-SM2-comp.pdf
Examples of Cyber and information safety competence in secondary education:
1. Computer and Information technology course book for the first year of middle school, Second semester.
Unit 6, Page 94, the topics include:
- Viruses definition and types.
- Causes of attacks.
- Protection methods.
https://iencontent.t4edu.com/books/20180610150301126-GE-ME-K08-SM1-COMP.pdf
2. Computer and Information technology course book for the Second year of middle school, first semester.
Unit 1, Pages 16-18, the topics include:
1-9 Information security
1-9-1 The importance of information security
1-9-2 Means of information attacks: (Spoofing, Eavesdropping, Penetration, Malware)
1-9-3 Information security mechanism:
(encrypt information, Firewall, backup, Automatic update)
https://iencontent.t4edu.com/books/20180717114118972-GE-CBE-TRC-COMP2S.pdf
3. Computer and Information technology course book for the first year of high school.
Unit 2, pages 39-47, the topics include:
2-1 introduction
2-2 information security:
- elements of information security; confidentiality, safety and availability.
- Ethreats; Spoofing, Eavesdropping, and viruses.
- Information security accidents.
- Ecrimes law.
2-3 information encryption systems and science
- Encryption types; Symmetric cryptography and Asymmetric cryptography.
- WiFi encryption types: WEP, WPA and WPA2.
2-4 Web applications protection:
- Firewall, https, digital signature and digital certificates.
2-5 instructions for information protection.
-
3.2. Bachelor’s level cyber security programme 222
Requirements
CriteriaThere is at least one cyber security / electronic information security focused programme at Bachelor’s or equivalent level.
Accepted referencesAccredited study programme
Evidence
http://computing.uj.edu.sa/Pages-BS-Cyber-Security.aspx
Cyber Security Bachelor's course at the University of Jeddah
Bachelor of Science in Cyber Security and Digital Forensics (CYS) at the Imam Abdulrahman Bin Faisal University
-
3.3. Master’s level cyber security programme 222
Requirements
CriteriaThere is at least one cyber security / electronic information security focused programme at Master’s or equivalent level.
Accepted referencesAccredited study programme
Evidence
http://www.kfupm.edu.sa/departments/ics/Pages/en/M-S-in-Security-Information-Assurance.aspx
KFUPM M.S. in Security & Information Assurance
https://seu.edu.sa/sites/en/colleges/cocai/Pages/StudyPlanMIS.aspx
Master in Information Security at the Saudi Electronic University
-
3.4. PhD level cyber security programme 222
Requirements
CriteriaThere is at least one cyber security / electronic information security focused programme at PhD or equivalent level.
Accepted referencesAccredited study programme
Evidence
http://www.kfupm.edu.sa/departments/ics/Pages/en/Ph-D--in-Computer-Science.aspx
PhD in Computer Science at the King Fahd university of petroleum and mineral includes research fields such as:
- IT security systems, including biometrics and forensics
- Applied cryptography and steganography
- Encryption and authentication technologies
- Computer network security
-
3.5. Cyber security professional association 222
Requirements
CriteriaThere is a professional association of cyber/electronic information security specialists, managers or auditors.
Accepted referencesWebsite
Evidence
http://computer.org.sa/committee1/
Saudi Computer Society has a group for information security. It is mentioned as the second point in the last section.
ISACA Riyadh
-
-
4. Contribution to global cyber security 2/6 33%26 33%
-
4.1. Convention on Cybercrime 001
Requirements
CriteriaThe country has ratified the Convention on Cybercrime.
Accepted referencesOfficial website of the convention
Evidence
-
4.2. Representation in international cooperation formats 111
Requirements
CriteriaThe government is regularly represented in a cooperation format that is dedicated to international cyber security (e.g. FIRST).
Accepted referencesOfficial website of the cooperation format
Evidence
https://www.oic-cert.org/en/allmembers.html#.W__cBsuNzuj
Saudi Arabia is a member of OIC-CERT.
https://www.itu.int/en/council/Pages/members.aspx
ITU membership region E
http://wam.ae/en/details/1395290764931
Saudi Arabia is also a member of GCC-CERT and Mnemo-CERT.
-
4.3. International cyber security organisation hosted by the country 003
Requirements
CriteriaA regional or international cyber security organisation is hosted by the country.
Accepted referencesOrganisation’s official website
Evidence
-
4.4. Cyber security capacity building for other countries 111
Requirements
CriteriaThe country has (co-)financed or (co-)organised at least one capacity building project for another country in the last 3 years.
Accepted referencesOfficial website or project document
Evidence
Roll Out of the Global Child Online Protection Project in Albania in collaboration with the National Cybersecurity Authority (NCA) of the Kingdom of Saudi Arabia
-
BASELINE CYBER SECURITY INDICATORS
-
5. Protection of digital services 5/5 100%55 100%
-
5.1. Cyber security responsibility for digital service providers 111
Requirements
CriteriaAccording to legislation, digital service providers (except micro and small enterprises): (1) must manage cyber/ICT risks or (2) must implement established cyber/information security requirements.
Accepted referencesLegal act
Evidence
https://www.citc.gov.sa/en/RulesandSystems/CyberSecurity/Documents/CRF-en.pdf
Cybersecurity Regulatory Framework (CRF)
-
5.2. Cyber security standard for the public sector 111
Requirements
CriteriaPublic sector digital service providers must implement (1) cyber/ICT security requirements (defined by legislation) or (2) a widely recognised security standard.
Accepted referencesLegal act
Evidence
Essential Cybersecurity Controls (ECC)
ECC Scope of Work, Page 9:
“These controls are applicable to government organizations in the Kingdom of Saudi Arabia (including ministries, authorities, establishments and others) and its companies and entities, as well as private sector organizations owning, operating or hosting Critical National Infrastructures (CNIs), which are all referred to herein as “The Organization”. The NCA strongly encourages all other organizations in the Kingdom to leverage these controls to implement best practices to improve and enhance their cybersecurity.”
Government organizations mentioned in the scope includes all public sector organizations and companies, not only those operating or hosting CNIs.
ECC Statement of Applicability, Page 9:
“These controls have been developed after taking into consideration the cybersecurity needs of all organizations and sectors in the Kingdom of Saudi Arabia. Every organization must comply with all applicable controls in this document. “
-
5.3. Competent supervisory authority 333
Requirements
CriteriaThe government has a competent authority in the field of cyber/information security that has the power to supervise public and private digital service providers regarding the implementation of cyber/information security requirements.
Accepted referencesOfficial website or legal act
Evidence
https://www.citc.gov.sa/en/RulesandSystems/CyberSecurity/Documents/CRF-en.pdf
Communications and Information Technology Commission (CITC)
-
-
6. Protection of essential services 6/6 100%66 100%
-
6.1. Operators of essential services are identified 111
Requirements
CriteriaThere is a legal act that allows to identify operators of essential services.
Accepted referencesLegal act
Evidence
http://www.ncar.gov.sa/Documents/Details?Id=90MqUsSPf4vivd%2B6siDTEA%3D%3D
Royal Decree Establishing NCA
Article 4, Clause 3, Page 4:
“The duties and responsibilities of the Authority shall include:
3- Define critical national infrastructure assets and related entities, and identify priority sectors for cybersecurity protection efforts;"
https://ega.ee/wp-content/uploads/2019/03/Critical-Systems-Cybersecurity-Controls.pdf
Critical Systems Cybersecurity Controls
Critical systems definition, Page 8:
“Systems of which any failure, interruption or unauthorized access to it or the data and information saved or being processed by it; notably impacts the entity’s availability of services or workflow, or leads to a significant financial, economic or social impact on the national level”
Criteria for determining critical systems, Page 9:
“The system is considered to be critical if failure, interruption or unauthorized access leads directly or indirectly to one or more of the following:
- Damage or loss of lives.
- Influence on national reputation.
- Significant financial losses.
- Impact on services provided to a large number of users (more than 5% of the population).
- Unauthorized disclosure of classified data either secret or top secret.”
Thus, if an entity has a system that match one or more of these criteria, it is considered an operator of essential services.
Official link: https://www.ncsc.gov.sa/wps/wcm/connect/ncsc/7c106926-b8e7-438e-91b9-5f1ec4133756/%D8%A7%D9%84%D8%A7%D9%86%D8%B8%D9%85%D8%A9+%D8%A7%D9%84%D8%AD%D8%B3%D8%A7%D8%B3%D8%A9.pdf?MOD=AJPERES&CVID=mrEado4 (might not be accessible from outside Saudi Arabia)
-
6.2. Cyber security requirements for operators of essential services 111
Requirements
CriteriaAccording to the legislation, operators of essential services must manage cyber/ICT risks.
Accepted referencesLegal act
Evidence
https://ega.ee/wp-content/uploads/2019/03/Critical-Systems-Cybersecurity-Controls.pdf
Critical Systems Cybersecurity Controls
Controls scope of work, Page 9:
“These controls are applicable to government organizations that owns or use critical systems (including ministries, authorities, establishments, embassies and others) either inside or outside the kingdom of Saudi Arabia, and its companies and entities, as well as
private sector organizations owning, operating or hosting Critical National Infrastructures (CNIs), which are all referred to herein as “The Organization”. NCA strongly encourages all other organizations in the Kingdom to leverage these controls to implement best practices to improve and enhance their cybersecurity.”
A summary of the Main and sub components of critical systems’ cybersecurity controls that are explained in detail throughout the document, Page 13.
Official link: https://www.ncsc.gov.sa/wps/wcm/connect/ncsc/7c106926-b8e7-438e-91b9-5f1ec4133756/%D8%A7%D9%84%D8%A7%D9%86%D8%B8%D9%85%D8%A9+%D8%A7%D9%84%D8%AD%D8%B3%D8%A7%D8%B3%D8%A9.pdf?MOD=AJPERES&CVID=mrEado4 (might not be accessible from outside Saudi Arabia)
-
6.3. Competent supervisory authority 333
Requirements
CriteriaThe government has a competent authority in the field of cyber/information security that has the power to supervise operators of essential services, regarding cyber/information security requirements.
Accepted referencesOfficial website or legal act
Evidence
http://www.ncar.gov.sa/Documents/Details?Id=90MqUsSPf4vivd%2B6siDTEA%3D%3D
Royal Decree Establishing NCA
Article 3, Page 4:
"The Authority shall be the competent authority for cybersecurity in KSA. It aims to boost the State’s cybersecurity and protect its vital interests, national security, critical infrastructure, priority sectors and government services and activities. This shall however not relieve other public or private entities of their cybersecurity responsibilities, provided such responsibilities do not interfere with the Authority’s mandate, as set forth in this Regulation.”
https://ega.ee/wp-content/uploads/2019/03/Critical-Systems-Cybersecurity-Controls.pdf
Critical Systems Cybersecurity Controls
Page 6:
“NCA’s mandate states that its responsibility for cybersecurity does not clear any public, private or other organization from its own cybersecurity responsibilities as confirmed by the Royal Decree number 57231, dated 10/11/1439H, which states that “all government organizations must improve their cybersecurity level to protect their networks, systems and data, and comply with NCA’s policies, framework, standards, controls and guidelines”
From this perspective, NCA developed the Critical Systems Cybersecurity Controls (CSCC-1: 2018) to set the minimum cybersecurity requirements for critical systems within national organizations, in addition to Essential cybersecurity Controls (ECC-1:2018).”
Official link: https://www.ncsc.gov.sa/wps/wcm/connect/ncsc/7c106926-b8e7-438e-91b9-5f1ec4133756/%D8%A7%D9%84%D8%A7%D9%86%D8%B8%D9%85%D8%A9+%D8%A7%D9%84%D8%AD%D8%B3%D8%A7%D8%B3%D8%A9.pdf?MOD=AJPERES&CVID=mrEado4 (might not be accessible from outside Saudi Arabia)
-
6.4. Regular monitoring of security measures 111
Requirements
CriteriaOperators of essential services must regularly (at least once every 3 years) provide evidence of the effective implementation of cyber/information security policies (e.g. audit result, documentation, specific report).
Accepted referencesLegal act
Evidence
https://ega.ee/wp-content/uploads/2019/03/Essential-Cybersecurity-Controls.pdf
Essential Cybersecurity Controls
Paragraph 2 and 3, Page 10:
“NCA evaluates organizations’ compliance with the ECC through multiple means such as self-assessments by the organizations, periodic reports of the compliance tool or on-site audit visits.
Evaluation and Compliance Tool
NCA will issue a tool (ECC-1: 2018 Assessment and Compliance Tool) to organize the process of evaluation and compliance measurement against the ECC. “
Control 1-8 Periodical Cybersecurity Review and Audit,
Page 17:
“1-8-1 Cybersecurity reviews must be conducted periodically by the
cybersecurity function in the organization to assess the compliance with the cybersecurity controls in the organization.
1-8-2 Cybersecurity audits and reviews must be conducted by independent parties outside the cybersecurity function (e.g., Internal Audit function) to assess the compliance with the cybersecurity controls in the organization. Audits and reviews must be conducted independently, while ensuring that this does not result in a conflict of interest, as per the Generally Accepted Auditing Standards (GAAS), and related laws and regulations.
1-8-3 Results from the cybersecurity audits and reviews must be documented and presented to the cybersecurity steering committee and Authorizing Official. Results must include the audit/review scope, observations, recommendations and remediation plans.”
Official link: https://ega.ee/wp-content/uploads/2019/03/Essential-Cybersecurity-Controls.pdf (might not be accessible from outside Saudi Arabia)
-
-
7. E-identification and trust services 9/9 100%99 100%
-
7.1. Unique persistent identifier 111
Requirements
CriteriaThe government provides a unique persistent identifier to all citizens, residents, and legal entities. For example, the identifier remains the same after document expiration and name change.
Accepted referencesLegal act
Evidence
https://ega.ee/wp-content/uploads/2019/03/Civil-status-law-and-bylaw.pdf
Civil status law and Bylaw
Chapter 8, Clause 146, page 38:
“The identity card (National ID) shall contain the following:
a- Personal photo.
b- Full name with at least four names provided (first name, father’s name, grandfather’s name, last name or fame name).
c- Place of birth.
d- birthday.
e- civil register number.
f- expiration date.
g- issuer.
h- version number.
i- preservation number, entity and date.
j- smart chip.”
Official link: https://bit.ly/2R4BXz5 (might not be accessible from outside Saudi Arabia)
Additionally, NCA is currently working to enhance the unique persistent identifier to all citizens, residents, and legal entities.
-
7.2. Requirements for cryptosystems 111
Requirements
CriteriaRequirements for cryptosystems in the field of trust services are regulated.
Accepted referencesLegal act
Evidence
https://nca.gov.sa/files/ncs_en.pdf
As per the mandate of the National Cybersecurity Authority (NCA) that was issued by the Royal Order number 6801, dated October 31, 2017, the NCA is mandated to draft the national cryptographic policies and standards, to ensure compliance with these standards and policies, and to review and update them periodically.
-
7.3. Electronic identification 111
Requirements
CriteriaElectronic identification is regulated.
Accepted referencesLegal act
-
7.4. Electronic signature 111
Requirements
CriteriaE-signature is regulated
Accepted referencesLegal act
-
7.5. Timestamping 111
Requirements
CriteriaTimestamping is regulated.
Accepted referencesLegal act
-
7.6. Electronic registered delivery service 111
Requirements
CriteriaElectronic registered delivery service between state entities, citizens and private sector entities is regulated. The service provides legally binding data exchange and guarantees the confidentiality and integrity of information.
Accepted referencesLegal act
Evidence
https://meras.gov.sa/en/about/?landing=1
Meras is a government program launched as part of Saudi Vision 2030, which provides all government and private sector services that is needed to start your business in one day. Meras provides a high quality integrated services through an online and physical One-Stop-Shop centers.
https://www.yesser.gov.sa/EN/BuildingBlocks/Pages/e-Gov._network.aspx
GSN Network: A Communications Network for e-Government Transactions established by YESSER Program.
https://www.yesser.gov.sa/EN/BuildingBlocks/Pages/saudi_portal.aspx
Saudi Portal: A Central portal that provides access to eGoverment Services
-
7.7. Competent supervisory authority 333
Requirements
CriteriaThere is an authority responsible for the supervision of qualified trust service providers.
Accepted referencesOfficial website or legal act
Evidence
https://ega.ee/wp-content/uploads/2019/03/3.png
The National Center for Digital Certification (NCDC) provides trust services to secure the exchange of information between key stakeholders. Participants include government, citizens and the business sector.
Official link: https://www.ncdc.gov.sa/SitePages/NCDCBrief.aspx (might not be accessible from outside Saudi Arabia)
-
-
8. Protection of personal data 4/4 100%44 100%
-
8.1. Personal data protection legislation 111
Requirements
CriteriaThere is a legal act for personal data protection.
Accepted referencesLegal act
Evidence
https://www.citc.gov.sa/en/RulesandSystems/privacy/Documents/Data_Privacy_Principles_For_ICT_en.pdf
General Principle for Personal Data Protection
-
8.2. Personal data protection authority 333
Requirements
CriteriaThere is an independent public supervisory authority that is responsible for personal data protection.
Accepted referencesOfficial website or legal act
Evidence
The Saudi Data and Artificial Intelligence Authority (SDAIA)
-
INCIDENT AND CRISIS MANAGEMENT INDICATORS
-
9. Cyber incidents response 6/6 100%66 100%
-
9.1. Cyber incidents response unit 333
Requirements
CriteriaThe government has a unit (CSIRT, CERT, CIRT, etc.) that is specialised in national-level cyber incident detection and response.
Accepted referencesOfficial website or legal act
Evidence
http://www.ncar.gov.sa/Documents/Details?Id=90MqUsSPf4vivd%2B6siDTEA%3D%3D
Royal decree establishing NCA
Article 3, page 4:
“The Authority shall be the competent authority for cybersecurity in KSA. It aims to boost the State’s cybersecurity and protect its vital interests, national security, critical infrastructure, priority sectors and government services and activities.”
Article 4, Clause 6, page 4:
“The duties and responsibilities of the Authority shall include:
6- Develop, update and oversee the implementation of a national cyber incident response framework;”
-
9.2. Reporting responsibility 111
Requirements
CriteriaDigital service providers and operators of essential services have an obligation to notify appointed government authorities of cyber security incidents.
Accepted referencesLegal act
Evidence
https://www.ncar.gov.sa/Documents/Details?Id=90MqUsSPf4vivd%2B6siDTEA%3D%3D
Article 10, Clause 2 of the Royal Decree No. 6801 (NCA mandate) states that all entities must notify NCA of any cyber incidents.
https://www.citc.gov.sa/ar/Decisions/PublishingImages/Pages/415-1441/attch415.pdf
The Communication and Information technology commission (CITC) released the General Principles of Personal Data Protection which covers the privacy aspects of the communication and information technologies users, section 5 (specifically point 5-6) cover the obligation of service providers to report any personal data breach to the commission.
-
9.3. Single point of contact for international coordination 222
Requirements
CriteriaThe government has designated a single point of contact for international cyber security coordination.
Accepted referencesOfficial website or legal act
Evidence
http://www.ncar.gov.sa/Documents/Details?Id=90MqUsSPf4vivd%2B6siDTEA%3D%3D
Royal Decree Establishing NCA
Article 4, Clause 15, 16 and 17, page 6:
“The duties and responsibilities of the Authority shall include:
15. Communicate with similar international cybersecurity entities, and build cooperation and partnership mechanisms to support the exchange of knowledge and expertise;
16. Exchange cybersecurity know-how, technical expertise, and data and information with similar entities outside KSA;
17. Represent KSA to relevant regional and international organizations, committees and bilateral groups, and ensure fulfillment of KSA’s international cybersecurity commitments;”
-
-
10. Cyber crisis management 3/5 60%35 60%
-
10.1. Cyber crisis management plan 001
Requirements
CriteriaThe government has established a crisis management plan for large-scale cyber incidents.
Accepted referencesLegal act
Evidence
-
10.2. National-level cyber crisis management exercise 222
Requirements
CriteriaThe government has conducted a national-level cyber crisis management exercise or a crisis management exercise with a cyber component in the last 3 years.
Accepted referencesExercise document/website or press release
Evidence
https://www.spa.gov.sa/1886256
On February 2019, NCA conducted a simulation exercise to respond to national cyber crisis event, with the participation of a number of international expertise, government and vital agencies, and the presence of a number of officials and national specialists in cybersecurity.
-
10.3. Participation in international cyber crisis exercises 111
Requirements
CriteriaThe country's team has participated in an international cyber crisis management exercise in the last 3 years.
Accepted referencesExercise document/website or press release
Evidence
https://www.itu.int/en/ITU-D/Cybersecurity/Pages/Tunisia_cyberdrill_2016.aspx
Saudi Arabia has participated in the 4th Cyberdrill for Arab region in Tunisia, in 2016.
-
10.4. Operational support of volunteers in cyber crises 001
Requirements
CriteriaThe procedures for using volunteers in the field of cyber security are established by legislation.
Accepted referencesLegal act
Evidence
-
-
11. Fight against cybercrime 9/9 100%99 100%
-
11.1. Cybercrimes are criminalised 111
Requirements
CriteriaCybercrimes are defined by legislation.
Accepted referencesLegal act
Evidence
-
11.2. Cybercrime unit 333
Requirements
CriteriaThere is a government entity with a specific function of combatting cybercrime.
Accepted referencesOfficial website or legal act
Evidence
-
11.3. Digital forensics unit 333
Requirements
CriteriaThere is a government entity with a specific function of digital forensics.
Accepted referencesOfficial website or legal act
Evidence
-
11.4. 24/7 contact point for international cybercrime 222
Requirements
CriteriaThe government has designated an international 24/7 contact point for cybercrimes.
Accepted referencesOfficial website or legal act
Evidence
https://www.interpol.int/Who-we-are/Member-countries/Asia-South-Pacific/SAUDI-ARABIA
https://www.interpol.int/Crimes/Cybercrime
Saudi Arabia is a member of the Interpol and has a National Central Bureau in Riyadh, the capital city of Saudi Arabia.
-
-
12. Military cyber operations 3/6 50%36 50%
-
12.1. Cyber operations unit 003
Requirements
CriteriaMilitary forces have a unit (cyber command, etc.) that is specialised in planning and conducting cyber operations.
Accepted referencesOfficial website or legal act
Evidence
-
12.2. Cyber operations exercise 222
Requirements
CriteriaMilitary forces have conducted a cyber operations exercise or an exercise with a cyber operations component in the country in the last 3 years.
Accepted referencesExercise document/website or press release
Evidence
https://www.mod.gov.sa/MediaCenter/MinistryNews/Pages/450.aspx
Saudi Arabia participated in Eager Lion 2019 which had a cyber security component.
-
12.3. Participation in international cyber exercises 111
Requirements
CriteriaThe country's military team has participated in an international cyber operations exercise in the last 3 years.
Accepted referencesExercise document/website or press release
Evidence
7th Eager Lion military drill in 2017
-
Information Disclaimer
The information provided on the NCSI website is based on publicly available evidence materials. The appearance in the index and subsequent ranking is commensurate to the existence and public availability of such information. The NCSI links to third party websites and information. The NCSI and eGA are not responsible for the accuracy or completeness of third party website information.
What can I do to improve my country's data in NCSI?
Become a data contributor Update a specific indicator with evidence data
CONTRIBUTORS
GM, International Cooperation of the National Cybersecurity Authority
