Third: Supervisory Procedures

No: 42063179

Date(g): 17/4/2021 | Date(h): 6/9/1442

Status: In-Force

Translated Document

Banks must adhere to the required maturity level as Cyber Security Framework and the Business Continuity Management Framework, with particular attention to the following:

1.	The cyber security policy should include aspects related to cyber security for employees' work, and review them periodically, with the following minimum:
		a.	Access to banking systems and verification of the identity of the person who made the login.
		b.	Linking the powers on banking systems to job grades and determining the level of validity for each job grade.
		c.	Manage passwords including the following:
				1-	The password must consist of numbers, letters and symbols.
				2-	Password must be changed every three months.
				3-	In the event that employees enter the login data of the banking systems incorrectly three consecutive times, the username will be suspended and will not be restored except according to certain procedures as per the bank's internal policy.
				4-	Emphasize on employees to maintain user accounts or login data and not to disclose or share them.
		d.	Restricting access to devices and systems used in banks in accordance with best practices in cyber security, and business needs based on the principle of "Need-to-Know", to name a few: Hide customer balance from employees whose work tasks do not require knowing the balance.
		e.	Identify security practices and policies to maintain the confidentiality of information.
		f.	Identify unsafe and unsound banking practices.
		g.	Develop scenarios to detect suspicious operations when accessing systems.
		h.	Do not allow copying or sharing data or installing software without the consent of the authorized person.
		i.	Setting entry, closing, and saving procedures and confirming that the data screen is closed when not in use.
		j.	Authentication and access controls should be based on the risks and sensitivity of the systems and data to be accessed.
2-	Review the minimum permissions to access banking systems, conduct operations, and access bank account data, periodically, and document this in periodic review records.
3-	Hide customer signatures and balances for all accounts that are in an unclaimed or abandoned state.
4-	Monitor the accounts of employees designated to access banking systems, and save all access information on bank account information automatically for reference when needed and for a minimum period of (5) years, provided that the information saved at a minimum includes the following:
		a.	Employee name and job number.
		b.	Internal Protocol Address “IP Address”.
		c.	Date and time of entry.
		d.	Validity.
		e.	Authentication.
		f.	Action performed.
5-	Develop all the necessary technical and security controls that enable the identification of the employee who uses the computer or any of the banking systems accurately.
6-	Restricting access to banking systems through computers located in branches after the end of official working hours, and setting the necessary precautionary controls when needed to access banking systems outside official working hours.
7-	Ensure the provision of alternative plans and solutions to ensure business continuity and enable secure access to banking systems.
8-	Take the necessary measures in the event that customer data is found to be accessed by an unauthorized person.
9-	To ensure access to employees with administrative privileges and key employees only, and limit access to the competent employee - such as IT staff and technical support - to network maintenance, without access to confidential information of customers.
10-	In the case of maintenance work for the branch's systems, it must be verified that the branch's maintenance team is among the crew listed for maintenance work and sent by the competent department before starting the required work, with adequate control procedures in place.