Saudi Arabia: Adopted Cybersecurity Regulation in Organisation's Social Media Accounts Cybersecurity Controls

In 2021, the Organisation's Social Media Accounts Cybersecurity Controls (OSMACC) was issued by the National Cybersecurity Authority (NCA). The OSMACC applies to private companies that use social made accounts and own, operate or host "sensitive national infrastructure". OSMACC is an extension of the previously issued Essential Cybersecurity Controls (ECC), which means that any organisation that works on "sensitive national infrastructure" that is subject to OSMACC is subject to the ECC as well. Additionally, the five main domains remain the same as well (Cybersecurity governance, cybersecurity defence, third-party and cloud computing security, and Industrial Control Systems protection). The organisation's social media accounts are to follow specific cybersecurity requirements similar to the rest of the operations within the company. For example, the risk management in OSMACC includes risk assessments for social media accounts yearly. Additionally, the relevant devices and social media accounts may not be used for personal reasons (e.g. calling, browsing). The accounts may not be accessed in insecure or public networks and devices. Identities, passwords, and other authentication methods should be sufficiently secured and two-step authentication is required for any login. Passwords should be secure and altered regularly. Moreover, a specific protocol for cyber incidents should be created. The devices used for social media should have a Mobile Device Management System (MDM) and security updates should be conducted monthly. The content and account on the social media platform should be monitored for any unauthorised access, suspicious patterns or unathorised content. Third parties are required to comply with the organisation's cyber requirements and are obligated to report any incidents. Compliance will be monitored by the NCA through audits and the reception of cyber reports by the organisations. Social media accounts may not include any personal data. Additionally, any tech assets used for social media may not include any classified data. Finally, third parties are required to delete any data obtained from organisations as soon as the purpose/service is fulfilled.