Third Party Cybersecurity Standard (SACS-002) is a list of controls, named TPC (Third party Controls), wherein the supplier needs to show compliance. It is set of 84 TPC (Third party Controls) divided into two sections. Depending on supplier classification the TPC of the Section is applicable. For General Requirement classified supplier 24 TPC in the Section VII (A) are applicable. Most of the suppliers are expected to fall into this classification only.
1. Cybersecurity Compliance Certificate - CCC. This is applicable to General Requirements, Outsourced Infrastructure and Customized Software classified companies. The approach is through a self-compliance assessment against SACS-002, completed by the company, and verified remotely by the Authorized Audit Firm.
2. Cybersecurity Compliance Certificate Plus- CCC+ This is applicable to Connectivity & Critical Data Processor classified companies. To gain the CCC+ certificate an on-site compliance assessment against SACS-002, conducted by the Authorized Audit Firm.
1. General Requirement: Any supplier that engages is any form of business mainly trading of items. All suppliers irrespective of supply type are part of General Requirement.
2. Outsourced Infrastructure: Supplier is supporting Saudi Aramco for various services like infrastructure management and maintenance, business process operation like Human Resources etc.
3. Customized Software Supplier is providing custom built software like Enterprise Resource management (ERP), building and maintaining Saudi Aramco website etc.
4. Network Connectivity: Supplier has direct network connectivity to Saudi Aramco corporate network via VPN or leased lines.
5. Critical Data Processor: Supplier is deeply engaged in processing Saudi Aramco data like conducting accounting work, risk mitigation etc.
1. Conduct Self Assessment: Every supplier should conduct self-assessment versus the Third Party Controls. The self assessment will highlight all the gaps in supplier’s information technology and work environment. 9T9 Information Technology experienced staff has the requisite knowledge and experience to conduct the gap analysis.
2. Documentation: Most of the suppliers do not have a Cybersecurity Acceptable Use Policy (AUP) governing the use of Third Party Technology Assets. 9T9 Information Technology would draft the document on behalf of the supplier.
3. Gap Remediation: All gaps that were identified have to be closed. Without closing the gaps supplier will fail the audit and would not be able to conduct business with Saudi Aramco. Gap remediation includes
Before engaging with a Saudi Aramco approved auditor a thorough evaluation of the requirements should be completed. The evaluation will determine the readiness of the supplier in passing through the audit in first attempt.
9T9 Information Technology will work closely with the approved auditor to submit all the required information such as policies and procedures document, system screen shots, training reports, group policies, email settings etc. This engagement is to assure the auditor that all TPC have been covered and that all gaps have been covered. The auditor will then issue Cybersecurity Compliance Certificate (CCC) to the supplier. Final step of the project is for the supplier to upload the Cybersecurity Compliance Certificate (CCC) to the Saudi Aramco through the e-marketplace system.
