Cyber security attacks have grown exponentially over the past couple of years. With millions of users working from home attack vectors for hackers are now easily available. To mitigate the cybersecurity risk from its suppliers network Saudi Aramco Third Party Cybersecurity Controls Program has been made mandatory. All suppliers, irrespective of classification, have to go through the Saudi Aramco Third Party Cybersecurity Controls Program.

The Saudi Aramco Third Party Cybersecurity Controls Program ensures that all third parties (Aramco suppliers) are in compliance with the cybersecurity requirements set in the Third Party Cybersecurity Standard (SACS-002). The program is in place to protect Saudi Aramco and to make sure suppliers have the minimum level of cybersecurity.

What is the Saudi Aramco Third Party Cybersecurity Standard (SACS-002)?
Third Party Cybersecurity Standard (SACS-002) is a list of controls, named TPC (Third party Controls), wherein the supplier needs to show compliance. It is set of 84 TPC (Third party Controls) divided into two sections. Depending on supplier classification the TPC of the Section is applicable. For General Requirement classified supplier 24 TPC in the Section VII (A) are applicable. Most of the suppliers are expected to fall into this classification only.

How many type of certificates are part of the Saudi Aramco Third Party Cybersecurity Controls Program?

There are two types of certificates in the Saudi Aramco Third Party Cybersecurity Controls Program

1. Cybersecurity Compliance Certificate- CCC. This is applicable to General Requirements, Outsourced Infrastructure and Customized Software classified companies. The approach is through a self-compliance assessment against SACS-002, completed by the company, and verified remotely by the Authorized Audit Firm.
2. Cybersecurity Compliance Certificate Plus- CCC+. This is applicable to Connectivity & Critical Data Processor classified companies. To gain the CCC+ certificate an on-site compliance assessment against SACS-002, conducted by the Authorized Audit Firm.

How does Saudi Aramco classify suppliers?
Saudi Aramco Third Party Cybersecurity Controls Program classifies suppliers as per below. Supplier can fall into one or more classification.

1. General Requirement: Any supplier that engages is any form of business mainly trading of items. All suppliers irrespective of supply type are part of General Requirement.
2. Outsourced Infrastructure: Supplier is supporting Saudi Aramco for various services like infrastructure management and maintenance, business process operation like Human Resources etc.
3. Customized Software: Supplier is providing custom built software like Enterprise Resource management (ERP), building and maintaining Saudi Aramco website etc.
4. Network Connectivity: Supplier has direct network connectivity to Saudi Aramco corporate network via VPN or leased lines.
5. Critical Data Processor: Supplier is deeply engaged in processing Saudi Aramco data like conducting accounting work, risk mitigation etc.

What are the major components of the Saudi Aramco Third Party Cybersecurity Controls Program?
Broadly Saudi Aramco has stated the following:

Conduct Self Assessment
For more information go to section below.

Select an Authorized Audit Firm
Saudi Aramco has a list of approved audit firms. Supplier is to engage with anyone it finds suitable. Aramco does not have any preference when it comes to choosing the firm, as long as supplier is going to work with one of the authorized firms,

Compliance Verification & Issuance
Submit the filled Third Party Cybersecurity Compliance Report, Third Party Classification Template, and Third Party Classification Confirmation Letter to the Authorized Audit Firm, prior to the assessment verification.

Submit issued CCC
Submit the issued Third Party Cybersecurity Compliance Certificate and the Cybersecurity Compliance Report by the Authorized Audit Firm to Saudi Aramco, through the e-marketplace system.

How does 9T9 Information Technology assist with the Saudi Aramco Third Party Cybersecurity Controls Program?
Our major service for the Saudi Aramco Third Party Cybersecurity Controls Program are below. However, there may arise more services that supplier may require to be able to complete the Saudi Aramco Third Party Cybersecurity Controls Program

Conduct Self-Compliance Assessment
Every supplier should conduct self-assessment versus the Third Party Controls. The self assessment will highlight all the gaps in supplier’s information technology and work environment. 9T9 Information Technology experienced staff has the requisite knowledge and experience to conduct the gap analysis.

Documentation
Most of the suppliers do not have a Cybersecurity Acceptable Use Policy (AUP) governing the use of Third Party Technology Assets. 9T9 Information Technology would draft the document on behalf of the supplier.

Gap Remediation
All gaps that were identified have to be closed. Without closing the gaps supplier will fail the audit and would not be able to conduct business with Saudi Aramco. Gap remediation includes

• Creation/updating Cybersecurity Acceptable Use Policy (AUP).
• Implementing group policies on domain servers (Minimum length: 8 alphanumeric characters and special characters; History: last 12 passwords; Maximum age: 90 days for login authentication; Account lockout threshold: 10 invalid login attempts; Screen saver settings: automatically locked within 15 minutes of inactivity).
• Training: All employees of the supplier are required to be trained annually of the cybersecurity threats, acceptable use and good computing practices. Training must address the following topics:

Internet and social media security
Cybersecurity Acceptable Use
Social Engineering and phishing emails
Sharing credentials (i.e. username and password)
Data Security

• Setting up of Sender Policy Framework (SPF) record in email Domain Name Server.
• Firewall Configuration on end points.
• Anti-Virus updates in real time.
• Multi-Factor Authentication for cloud-based access like email, storage drives etc.
• Introduce process of informing Saudi Aramco when supplier’s employee with access to Saudi Aramco network has left the company or has been transferred to other department where she/he no longer needs access.
• Introduce process of informing Saudi Aramco when supplier discovers a cybersecurity incident and continuous efforts to resolve and mitigate the incident.

Pre-Audit Evaluation
Before engaging with a Saudi Aramco approved auditor a thorough evaluation of the requirements should be completed. The evaluation will determine the readiness of the supplier in passing through the audit in first attempt.

Engagement with auditors
9T9 Information Technology will work closely with the approved auditor to submit all the required information such as policies and procedures document, system screen shots, training reports, group policies, email settings etc. This engagement is to assure the auditor that all TPC have been covered and that there all gaps have been covered. The auditor will then issue Cybersecurity Compliance Certificate (CCC) to the supplier.
Final step of the project is for the supplier to upload the Cybersecurity Compliance Certificate (CCC) to the supplier to to Saudi Aramco through the e-marketplace system.

The Cybersecurity Compliance Certificate (CCC) is valid for 2 years from date of issue. Every 2 years the supplier should renew the certificate by following the above written process. Over time it is expected that Saudi Aramco would enhance the program. During renewal time the supplier should check for the latest requirements set by Saudi Aramco and work towards being compliant to it. It is mandatory to train staff on cybersecurity threats annually.