Cyber Security Company With
Right Technology
Great Experience
Business Knowledge
Best in class software solutions for automation
AND
To secure critical IT infrastructure!
What is the Saudi Aramco Third Party Cybersecurity Standard (SACS-002)?
Third Party Cybersecurity Standard (SACS-002) is a list of controls, named TPC (Third party Controls), wherein the supplier needs to show compliance. It is set of 84 TPC (Third party Controls) divided into two sections. Depending on supplier classification the TPC of the Section is applicable. For General Requirement classified supplier 24 TPC in the Section VII (A) are applicable. Most of the suppliers are expected to fall into this classification only.
How many type of certificates are part of the Saudi Aramco Third Party Cybersecurity Controls Program?
There are two types of certificates in the Saudi Aramco Third Party Cybersecurity Controls Program
1. Cybersecurity Compliance Certificate - CCC. This is applicable to General Requirements, Outsourced Infrastructure and Customized Software classified companies. The approach is through a self-compliance assessment against SACS-002, completed by the company, and verified remotely by the Authorized Audit Firm.
2. Cybersecurity Compliance Certificate Plus- CCC+ This is applicable to Connectivity & Critical Data Processor classified companies. To gain the CCC+ certificate an on-site compliance assessment against SACS-002, conducted by the Authorized Audit Firm.
How does Saudi Aramco classify suppliers?
Saudi Aramco Third Party Cybersecurity Controls Program classifies suppliers as per below. Supplier can fall into one or more classification.
1. General Requirement: Any supplier that engages is any form of business mainly trading of items. All suppliers irrespective of supply type are part of General Requirement.
2. Outsourced Infrastructure: Supplier is supporting Saudi Aramco for various services like infrastructure management and maintenance, business process operation like Human Resources etc.
3. Customized Software Supplier is providing custom built software like Enterprise Resource management (ERP), building and maintaining Saudi Aramco website etc.
4. Network Connectivity: Supplier has direct network connectivity to Saudi Aramco corporate network via VPN or leased lines.
5. Critical Data Processor: Supplier is deeply engaged in processing Saudi Aramco data like conducting accounting work, risk mitigation etc.
What are the major components of the Saudi Aramco Third Party Cybersecurity Controls Program?
1. Conduct Self Assessment: Every supplier should conduct self-assessment versus the Third Party Controls. The self assessment will highlight all the gaps in supplier's information technology and work environment. 9T9 Information Technology experienced staff has the requisite knowledge and experience to conduct the gap analysis.
2. Documentation: Most of the suppliers do not have a Cybersecurity Acceptable Use Policy (AUP) governing the use of Third Party Technology Assets. 9T9 Information Technology would draft the document on behalf of the supplier.
3. Gap Remediation: All gaps that were identified have to be closed. Without closing the gaps supplier will fail the audit and would not be able to conduct business with Saudi Aramco. Gap remediation includes
- Creation/updating Cybersecurity Acceptable Use Policy (AUP).
- Implementing group policies on domain servers (Minimum length: 8 alphanumeric characters and special characters; History: last 12 passwords Maximum age: 90 days for login authentication; Account lockout threshold: 10 invalid login attempts; Screen saver settings: automatically locked within 15 minutes of inactivity).
- Training: All employees of the supplier are required to be trained annually of the cybersecurity threats, acceptable use and good computing practices. Training must address the following topics: Internet and social media security; Cybersecurity Acceptable Use; Social Engineering and phishing emails; Sharing credentials (i.e. username and password); Data Security.
- Setting up of Sender Policy Framework (SPF) record in email Domain Name Server.
- Firewall Configuration on end points.
- Anti-Virus updates in real time.
- Multi-Factor Authentication for cloud-based access like email, storage drives etc.
- Introduce process of informing Saudi Aramco when supplier's employee with access to Saudi Aramco network has left the company or has been transferred to other department where she/he no longer needs access.
- Introduce process of informing Saudi Aramco when supplier discovers a cybersecurity incident and continuous efforts to resolve and mitigate the incident.
Pre-Audit Evaluation
Before engaging with a Saudi Aramco approved auditor a thorough evaluation of the requirements should be completed. The evaluation will determine the readiness of the supplier in passing through the audit in first attempt.
Engagement with auditors
9T9 Information Technology will work closely with the approved auditor to submit all the required information such as policies and procedures document, system screen shots, training reports, group policies, email settings etc. This engagement is to assure the auditor that all TPC have been covered and that all gaps have been covered. The auditor will then issue Cybersecurity Compliance Certificate (CCC) to the supplier. Final step of the project is for the supplier to upload the Cybersecurity Compliance Certificate (CCC) to the Saudi Aramco through the e-marketplace system.
The Cybersecurity Compliance Certificate (CCC) is valid for 2 years from date of issue. Every 2 years the supplier should renew the certificate by following the above written process. Over time it is expected that Saudi Aramco would enhance the program. During renewal period the supplier should check for the latest requirements set by Saudi Aramco and work towards being compliant to the requirements. It is mandatory to train staff on cybersecurity threats annually.
