11. KINGDOM OF SAU] 1A, MINISTRY OF INTERIOR HIGH COMMISSION FOR INDUSTRIAL SECURITY SECURITY DIRECTIVES FOR INDUSTRIAL FACILITIES SEC-12 Information Protection : 4 NY STRICTED AIL Rights reserved to HCIS. Copying or distbutio prohibited wihout writen permission fm HCISKINGDOM OF SAUDI ARABIA MINISTRY OF INTERIOR HIGH COMMISSION FOR INDUSTRIAL SECURITY SEC 12 - Information Protection 10. Table of Contents ADMINISTRATION ‘Score... APPLICATION CONFLICTS & DEVIATIONS DEFINITIONS. REFERENCES. GENERAL REQUIREMENTS .. RISK ASSESSMENT... SECURITY POLICY. ‘ORGANIZATION OF INFORMATION SECURITY. ASSET MANAGEMENT 7 HUMAN RESOURCES SECURITY PHYSICAL & ENVIRONMENTAL SECURITY COMMUNICATIONS & OPERATIONS MANAGEMENT ACCESS CONTROL nen ae INFORMATION SYSTEMS DEVELOPMENT & MAINTENANCE... INFORMATION SECURITY INCIDENT MANAGEMENT... Busniess CONTINUITY MANAGEMENT.. ‘COMPLIANCE RESTRICTED AVRights eserved to HCIS. Copying or dstrution prtited without writen germisin fom HCIS Page 2 of 14KINGDOM OF SAUDI ARABIA MINISTRY OF INTERIOR HIGH COMMISSION FOR INDUSTRIAL SECURITY SEC 12 - Information Protection 2.0. Administration 2a 22. Scope This directive provides the minimum requirements for companies, and establishments, that are subject to the supervision of the High Commission for Industrial Security (HCIS), Ministry of Interior, for information protection, Application ‘This Directive is applicable to all facilities, including new projects, the expansion of existing facilities, and upgrades. For application to existing facilities, the Owner shall assess his facilities against the requirements of these Directives and coordinate with the General Secretariat of the High Commission for Industrial Security (HCIS) to comply with the Security, Safety, and Fire Protection requirements according to these Directives and add to or modify the existing facilities as required. Where the HCIS has assessed deficiencies in existing facilities during a survey, comparing the current state of the facilities to the requirements of these Directives, those identified deficiencies shall be corrected by the Owner. Conflicts & Deviations ‘Where implementation of a requirement is unsuitable or impractical, where other equivalent company or internationally recognized Standards and Codes are followed, or where any conflict exists between this Directive and other company standards and ‘Codes, the deviations shall be resolved by the HCIS. Deviation lower than the requirements of this directive shall be listed and submitted ia a report of compliance or non-compliance, with justification and reason, for each applicable requirement of these security directives, and approval shall be received from the HCIS prior to implementation. The documents shall be retained by the company in its permanent engineering files. RESTRICTED AILRights reserved to HCIS. Copying or disribtion prbibited wehou writen permission fom HCTS Page 3 of 14KINGDOM OF SAUDI ARABIA MINISTRY OF INTERIOR HIGH COMMISSION FOR INDUSTRIAL SECURITY SEC 12 - Information Protection 3.0. Definitions Hels Owner Shall Should Access Control! Audit Logs Authentication Authorization Backup Confidentiality Control Encryption irewall High Commission for Industrial Security. The HICIS is part of the Ministry of the Interior. It is responsible for the development, and implementation, of security, safety and fire protection strategies Kingdom-wide. Company or owner of a facility Indicates a mandatory requirement, Indicates a recommendation or that which is advised but not required. Restricted access to resources other than to privileged entities. Files or prints of information in chronological order that record a particular computer or system event. A process that establishes the origin of information, or determines an entity's identi Access privileges granted to an entity; conveys an "official" sanction to perform a security function or activity. A reserve copy of data that is stored separately from the original, for use if the original becomes lost or damaged. ‘The property that sensitive information is not disclosed to unauthorized individuals, entities, or processes. Means of managing risk, including policies, procedures, guidelines, practices or organizational structures, which can be of administrative, technical, management, or legal nature ‘NOTE: Control is also used as a synonym for safeguard or countermeasure. ‘The process of obscuring information using a cryptographic algorithm to make it unreadable without special knowledge A piece of hardware or software which functions in a networked environment to prevent communications forbidden by security policy. RESTRICTED All Rights eserved to HCIS, Copying o dstrution prone witout vaiten permission fram HCIS Page 4 of 14KINGDOM OF SAUDI ARABIA MINISTRY OF INTERIOR HIGH COMMISSION FOR INDUSTRIAL SECURITY SEC 12 - Information Protection Industrial Processing Facilities Information Asset Information Processing Facilities Information Security Information Security Event Information Security incident Integrity ISA Password Policy Risk Any processing facility such as refineries, water treatment plants, petrochemical plants,....etc. Information records that are of significant value to the organization ‘Any information processing system, service or infrastructure, or the physical locations housing them Preservation of confidentiality, integrity and availability of information, In addition, other properties, such as authenticity, accountability, non-repudiation, and reliability can also be involved ‘An information security event is an identified occurrence of fa system, service or network state indicating a possible breach of information security policy or failure of safeguards, or a previously unknown situation that may be security relevant. [ISOMEC TR 18044:2004] An information security incident is indicated by a single or a series of unwanted or unexpected information security events that have a significant probability of compromising business operations and threatening information sccurity. [ISO/IEC TR 18044:2004] ‘The property that sensitive data have not been modified or deleted in an unauthorized and undetected manner. “The Instrumentation, Systems, and Automation Society”. ISA is a leading, global, nonprofit organization that sets standards for automation. ‘A form of sceret authentication data that is used to control access to a resource. Overall intention and direction as formally expressed by management Combination of the probability of an event and its consequence. RESTRICTED AW Rinh seve HCIS, Copying or distribution proitd without writen permission om CTS Page Sof 14KINGDOM OF SAUDI ARABIA MINISTRY OF INTERIOR HIGH COMMISSION FOR INDUSTRIAL SECURITY SEC 12 _- Information Protection [ISOMEC Guide 73:2002} Risk Analysis Systematic use of information to identify sources and to Risk Assessment. Risk Evaluation Risk Management Risk Treatment Third Party Threat Vulnerability estimate the risk. [ISOMEC Guide 73:2002] Overall process of risk analysis and risk evaluation, Risk Assessment is a methodology to identify and quantify risks to ensure that these risks can be minimized to an acceptable level. [ISOMEC Guide 73:2002] Process of comparing the estimated risk against given risk criteria to determine the significance of the risk. [ISOMEC Guide 73:2002] Coordinated activities to direct and control an organization with regard to risk NOTE: Risk management typically includes risk assessment, risk treatment, risk acceptance and risk communication. [ISOMEC Guide 73:2002] Process of selection and implementation of measures to modify tisk. [ISOMEC Guide 73:2002] The person or body that is recognized as being independent of the parties involved, as concerns the issue in question. [ISOAEC Guide 2:1996] A potential cause of an unwanted incident, which may result in harm to a system or organi {ISOMEC 13335-1:2004] ‘A weakness of an asset or group of assets that can be exploited by one or more threats. [ISOMEC 13335-1:2004] RESTRICTED [NI Rights reserved to HCIS, Copying or istbton prohbied without writen permission fom ICIS Page 6 of 14KINGDOM OF SAUDI ARABIA MINISTRY OF INTERIOR HIGH COMMISSION FOR INDUSTRIAL SECURITY SEC 12 - Information Protection 4.0. References ‘This directive adopts the latest edition of the references listed. ‘The selection of material and equipment, and the design, construction, maintenance, ‘operation and repair of equipment and facilities covered by this SD shall comply with the latest edition of the references listed in each SD, unless otherwise noted, coBIT Control Objectives for Information and related ‘Technologies ISA-TR99.00.01-2004 ISA Technical report: Security Technologies for ‘Manufacturing and Control Systems ISA-TR89.00.02-2004 ISA Technical report: Integrating Electronic Security into ‘the Manufacturing and Control Systems Environment ISONEC 17789:2005 Information Technology; Code of Practice for Information Security Management ISONEC TR 13335 _ Information Technology; Guidelines for the management of IT Security SANS Security SysAdmin, Audit, Network, Seourity Institute Policies HIPAA 1996 Health Insurance Portability and Accountability Act of 1996 NIST Security National Institute of Standards & Technology/Computer Guidelines (800 Security Resource Center Series) Canadian Government Security Policy, February 1, 2002 RESTRICTED AILRighs reserved to ICIS. Copying or distribution prohibited without writen permission fom HICIS Page 7 of 14KINGDOM OF SAUDI ARABIA MINISTRY OF INTERIOR HIGH COMMISSION FOR INDUSTRIAL SECURITY SEC 12 _- Information Protection 5.0. Sa. $2. General Requirements Risk Assessment 4.1. 41.2. Security 52.1 52.2. 52.4, Risk Assessments shall be performed for critical information systems or facilities, ‘The scope of the Risk Assessment shall cover all security related security systems that are deployed by the Owner and may cither be the whole organization, an individual information system, specific system component(s), or service(s) where this is practical, realistic, and helpful to protect the organization’s valuable information assets and Information Processing Facilities ies Owner shall set clear direction to protect critical information assets through the issue and maintenance of an information security policy across the organization. Facilities that have substantial manpower or resources shall formulate and implement information security policies, as deemed appropriate, in line with current best practices and in compliance with this document. Reference - National Insitute of Standards & Technology (NIST), SysAdmin, ‘Ault, Network, Security Inettute (SANS) Information security policies shall be reviewed, either at planned intervals. or when significant changes occur, to ensure their suitability and effectiveness. All employees and contractors shall be required to sign an undertaking not reveal any information related to the company, RESTRICTED All Rights served to HCIS. Copying or dsuibuonpokbited withoat writen permission mn KCTS Page 8 of 14SEC 12 33. 54. 525. KINGDOM OF SAUDI ARABIA MINISTRY OF INTERIOR HIGH COMMISSION FOR INDUSTRIAL SECURITY, Information Protection All documents, drawings, computer deta, etc. shall remain the property of the company and may not be removed without express permission of the company. Organization of Information Security 53.1 53.2. A Management framework for information security shall be estal manage information security effectively within an organization, This may include appointing a Chief Information Officer and constructing information security responsibilities e.g. awareness, _ policy implementation, risk management and compliance monitori as deemed necessary. Clear roles and responsibilities of information owners, users and information security Managers shall be established and documented to ensure effective information security implementation within the organization Asset Management 54. $42. 3.43. Information assets shall have owners, as applicable, who are responsible for the protection of their assets. Implementation of controls may be delegated by the owner as appropriate An Information Classification Policy shall be defined to classify information assets according to a structure that is used to ensure special protection and handling measures for sensitive information. (Owner shall maintain an inventory of all important assets, RESTRICTED AIDRighs esened to HCIS. Copying or distituin roid withot writen permission fr HCIS Page 9 of 14KINGDOM OF SAUDI ARABIA MINISTRY OF INTERIOR HIGH COMMISSION FOR INDUSTRIAL SECURITY SEC 12 - Information Protection 55. 36. Human Resources Security 55.1 552. 55.3, 554. Security roles and responsibilities of employees, contractors and third party users shall be defined and documented in accordance with the organization's information security policy. Employees, contractors and third party users shall sign an agreement or statement of understanding on their use of information assets and facilites. An information security awareness program shall be established to ensure adequate level of awareness in security procedures by coneemed ‘employees, contractors and third party users. Procedures shall be in place to ensure that employees, contractors, or third party user’s exit from the organization is managed, including the retum of all company equipment and the removal of their access rights. Physical & Environmental Security 3.6.1 5.62. 5.63. 564. 565. Critical or sensitive information processing facilities shall be housed in secure areas and protected by defined security perimeters with appro} security barriers. They shall be physically protected from unauthorized access, damage and interference. Computer and Communication secure areas shall be protected by appropriate entry controls to ensure that only authorized personnel are allowed access. Physical protection against damage from fire, flood, earthquake, explosion, civil unrest, and other forms of natural or man-made disaster shall be designed and applied where the sensitivity of the Computer and Communication facility justify it. Equipment shall be sited or protected to reduce the risks from ‘environmental threats, hazards, or unauthorized access Procedures shall be established to ensure that sensitive data on electronic storage media are removed or securely overwritten prior to media disposal. RESTRICTED All Rights resend to HCIS, Copying o distrbuton probit without writen pemelsion fom ICIS Page 10 of 14KINGDOM OF SAUDI ARABIA MINISTRY OF INTERIOR HIGH COMMISSION FOR INDUSTRIAL SECURITY SEC 12 - Information Protection 51. 5.66. 5.6. 5.6.8. Organization’s computer and communication equipment, sensitive information or licensed software shall not be taken off-site without prior authorization Procedures shall be in place to ensure that electronic storage media are disposed off properly when no longer needed. Organizations shall use automated entrance control systems, TV Camera systems (CCTV), and/or intruder detection systems, where applicable, to secure Computer and Communication facilities from unauthorized access. Communications & Operations Management S71. 3.72. 5.73. 5.14. 375. 5.76. 517. 5.78. 379. ‘Operating procedures shall be documented, maintained, and made available to all users who need them. Responsibilities for the operation of information processing facilities shall be established. ‘Segregation of duties shall be implemented, where appropriate, to reduce the risk of negligent or deliberate systems misuse. ‘Changes to information processing facilities and systems should be controlled. These include formal approval for changes to critical systems and planning and testing of changes. Detection, prevention, and recovery controls to protect against malicious code shall be implemented as feasible. Examples are anti-virus and scourity patching of systems. Back-up copies of information and software shall be taken and tested regularly in accordance with the company backup policy. Appropriate user awareness to control the threats from malicious code shall be implemented as needed, Company computer networks, systems and applications shall be protected from unauthorized access. Classified Information involved in electronic messaging, or electronic commerce services, shall be protected as required RESTRICTED AI Rights esrvd to HCIS. Copying ot distribution prohibited without writan persion om HCIS Page 11 of 14KINGDOM OF SAUDI ARABIA MINISTRY OF INTERIOR. HIGH COMMISSION FOR INDUSTRIAL SECURITY SEC 12 - Information Protection 58. 3.7.10. 57.11 $7.12. 5.7.13, 57.4. Audit logs that record user activities, exceptions, and information security events shall be produced and protected from unauthorized access and reviewed on an ongoing basis, Audit logs shall be kept for an agreed period to assist in future reviews, access control monitoring and possible forensic investigations. The retention period for audit logs shall be long enough for operational, legal or disaster recovery purposes. Allhigh and medium-critical or sensitive, manufacturing and control networks shall be firewalled or disconnected from any external networks Gite, corporate, and/or public networks). Al! high and medium risk company networks should also be firewalled from the Internet or public networks. Sensitive data traveling over the public networks, outside the manufacturing and control network shall be encrypted as applicable. Operating systems, databases, network devices, firewalls etc shall be security hardened according to vendor guidelines or internally documented technical standards. Access Control 5.83. 5.84. Access to the organization’s information and information processing facilities shall be controlled on the basis of organization's business requirements. Procedures shall be in place to control user registration, de-registration when no longer required, and the allocation of access rights and privileges, The allocation of user ids/passwords, and/or other technologies used for identification and authentication purposes such as biometrics, fingerprint verification, signature verification, and hardware tokens such as smart cards, etc. shall be managed and controlled through a formal management processes Users shall have unique User IDs/Passwords, or other identification methods, to ensure their proper identification and authentication to access data and computer systems. RESTRICTED AIRights esered to HCIS, Copying or dstibton prohibited without writen persson fom HCIS Page 12 of 14KINGDOM OF SAUDI ARABIA MINISTRY OF INTERIOR HIGH COMMISSION FOR INDUSTRIAL SECURITY SEC 12 - Information Protection 339. 3.10, 585 5.86. 3.8. User access rights shall be reviewed, as needed, to maintain effective control over access to data and information services. ‘Users shall be made aware of their responsibilities for maintaining effective access control, especially regarding the use of passwords and the security of user-assigned equipment. Appropriate authentication methods shall be used to control access by remote users. Information Systems Development & Maintenance 59.1. 592. 393. 59.4. Appropriate controls shall be designed into applications to prevent errors, loss or unauthorized modification, These include input/output data validation, segregation of duties and access control. Security requirements shall be identified, documented and agreed to, prior to the implementation of Information systems to ensure they incorporate appropriate controls. Business application software in development shall be kept strictly separate from production application software. If existing facilities permit it, this separation must be achieved via physically separate computer systems. When computing facilities do not allow this, separate directories or libraries with strictly enforced access controls should be employed. Business application software development staff should not be permitted to access production information, with the exception of the production information relevant to the particular application software on which they are currently working. If the information is non-sensitive they can be granted read access and the developer should only be assigned a temporary ID or temporary access for the duration of the work, Information Security Incident Management 5.10.1 Responsibilities and procedures shall be in place to monitor information scourity incidents within the organization. RESTRICTED AIIRights served to HCIS. Copying ocstbution potted without wrianpemisson fom HIS Page 13 of 14KINGDOM OF SAUDI ARABIA MINISTRY OF INTERIOR HIGH COMMISSION FOR INDUSTRIAL SECURITY SEC 12_- Information Protection 5.102. Responsibilities and procedures shall be in place to report promptly and resolve information security incidents within the organization. 5.11, Business Continuity Management 5411. A Business Continuity Plan for the organization's critical information systems shall be developed, implemented, tested periodically and maintained to ensure the continuity of essential business operations, in the event of natural or man-made disasters, accidents, sabotage, malicious code, virus, and equipment failures. 5.11.2. Procedures shall be established to implement the needed information backup for operational and business continuity requirements. 5.12. Compliance 4.12.1 Processes shall be established to ensure that the design, operation, and use of information systems comply with this document and internal policies of the organization, 4.12.2 Organizations shall perform regular reviews of Information systems to ensure compliance with defined security policies and procedures. RESTRICTED AIL Rights seseeved to HCIS. Copying or dstbtion prohibited without writen permission om HCIS Page 14 of 14