Saudi Arabia: Adopted Telework Cybersecurity Controls

In 2021, the National Cybersecurity Authority (NCA) adopted the Telework Cybersecurity Controls (TCC-1: 2021). The TCC applies to remote work activities by employees of government organisations and private organisations operating Critical National Infrastructure. The Essential Cybersecurity Controls (ECC) are extended in order to adapt to the cybersecurity needs of remote work. The TCC comprises three principal domains, namely Cybersecurity Governance, Cybersecurity Defence and Third-Party/Cloud Computing Cybersecurity, each of which is further subdivided into specific subdomains. The key governance controls include the documentation of cybersecurity policies, the conduct of risk assessments, and the provision of training on secure telework practices. The cybersecurity defence controls place particular emphasis on asset management, access management, system protection, network security and incident response. Furthermore, the TCC delineates the requisite controls for mobile device security, cryptography, backup, vulnerability management, and penetration testing. The third-party controls stipulate that telework systems hosted on external servers must comply with the cybersecurity standards that are in place in Saudi Arabia.