SAMA, QCB & NESA Regulations on Business Continuity Planning & Testing
Date: 24 May 2020
We reviewed SAMA, QCB & NESA Regulations on Business Continuity Planning, Testing & Cyber tabletop exercises and created an easy reference for you. We will be updating this blog regularly. If you are aware of updates and new regulations, email the author here.
Testing cyber incident response plans can be a chore for some, but if you are based in the Middle East you have little choice but to regularly test your cyber incident response plans and your business continuity plans. It's important to note that in many instances the regulations specifically mention cyber tabletop exercises.
Without much ado, let's take a look at the regulations from SAMA, QCB and NESA that specifically ask for cyber incident response testing. Some of the words may have been edited for grammar or presentation reasons.
Kingdom of Bahrain: The Central Bank of Bahrain
Under OM-6.6 Cyber Security Measures, it says:
OM-6.6.2: The Board and senior management must ensure that the cybersecurity controls are periodically evaluated for adequacy, taking into account emerging cyber threats and establishing a credible benchmark of cyber security controls endorsed by the Board and senior management. Should material gaps be identified, the Board and senior management must ensure that corrective action is taken immediately.
Qatar: Qatar's Central Bank or QCB
Business continuity management - 6.1. BCP/DR considerations
6.1.9. Annual BCP testing shall include the following:
- Tabletop testing – Discussing business recovery arrangements using example interruptions.
- Simulation testing – To train personnel in post-incident and crisis management roles.
- Complete rehearsals – To test if the organisation, personnel, equipment, facilities and processes can cope with a crisis.
8. IT operations - 8.2. Incident management
8.2.11. The predetermined escalation and response plan for security incidents shall be tested on an annual basis to simulate how the organisation responds to cyber-attacks, such as ransomware, extortion, DDoS and Level 1 severity incidents. These tests shall be carried to check the efficiency of the processes and the incident response plan.
QCB's regulations clearly recommend an effective business continuity test, which Cyber Management Alliance is well-equipped to offer. We have the expertise, the experience and requisite skills to support you in hosting a productive and effective cyber crisis tabletop exercise. We work with you on planning, creating scenarios, producing the scripts and artefacts and running the actual workshop.
Kingdom of Saudi Arabia: Saudi Arabian Monetary Authority (SAMA)
Cybersecurity Strategy: 3.2.4 Cybersecurity Crisis Management
This strategic stream should include the following initiatives but should not be limited to these initiatives if required:
- Establish an effective cybersecurity crisis management process, including supporting procedures.
- Conduct Saudi banking cybersecurity crisis management exercises.
Business Continuity Management Framework
- 2.9.1-1: The Member Organisation should periodically conduct BCP simulation test exercises (“at least once a year”).
- 2.9.1-2: The tests should consider appropriate scenarios that are well planned with clearly defined objectives (e.g., per function, per service, per process, per location, per worst case scenario).
The Member Organisation should take into consideration to include cybersecurity.
SAMA's regulations reiterate that conducting regular cyber crisis simulation test exercises is imperative for business continuity. Businesses across the globe are taking cognizance of the importance of hosting such internal cyber crisis tabletop workshops with Cyber Management Alliance as their trusted partner.
United Arab Emirates (UAE)'s NESA
Information Assurance Standards: T8.2.5 Incident Response Testing
- Incident response testing must simulate pre-defined breach scenarios across the incident response lifecycle from detection, reporting, and recovery to normal operations.
- Incident response testing includes, for example, the use of checklists, tabletop (discussion-based) exercises, and functional (performance of duties in a simulated environment) exercises.
T9.3.1 Testing, Maintaining and Re-assessing Information Systems, Continuity Plans Systems, Continuity PlansA variety of techniques should be used in order to provide assurance that the plan(s) will operate in real life. These should include:
- Tabletop testing of various scenarios (discussing the business recovery arrangements using example interruptions)
- Simulations (particularly for training people in their post-incident/crisis management roles)
NESA - The National Electronic Security Authority, is a government body tasked with protecting the UAE's critical information infrastructure and improving national cyber security.
Regular cyber tabletop testing is no longer just a healthy cybersecurity practice, it is now mandatory for businesses in specific sectors and regions.
Cyber Management Alliance is the global front-runner in enabling organisations to successfully test their business continuity plans. We also present our clients with a formal audit report of the exercise that provides them with important data including a cyber breach-readiness score that provides a good indication about how ready they are to respond to a specific cyber-attack scenario.