# | Assessment Elements | Answer Options | What looks immature | What looks mature | Evidence Type |
| Do you meet KSA's National Cyber Security Authority standards and international Cyber Security standards? | - KSA National Cyber Security Authority - International Cyber Security Authority - Not available | No compliance to Cyber Security standards | Policies and procedures in place in line with renowned national standards such as NCA and internal standards such as ISO27K and NIST ensuring proper information security practices | Kindly attach the NCA and or ICA certifications |
| Do you have a documented, implemented and regularly reviewed Cyber Security strategy? | -Yes -No | Strategy not defined | Cyber Security strategy is defined, documented, supported by the head of the organizations, and regularly reviewed. A roadmap is executed to implement the strategy. | Please attach the cyber security strategy |
| Do you have a dedicated Cyber Security function in the organization with clear roles and responsibilities? | -Yes -No | No independent Cyber Security function. | Dedicated Cyber Security function established with clear roles and responsibilities which are periodically reviewed | Please highlight within one of the existing organization structures of your facility where the cyber security function lays |
| Do you have defined and documented Cyber Security policies and procedures by the Cyber Security function? | -Yes -No | No Cyber Security policies and procedures in place | Cyber Security policies and procedures defined, documented, implemented and reviewed. They are supported by technical security standards (e.g. operating systems, databases and firewall technical security standards) | Please attach a sample of the cyber security policy and procedures (one policy and one procedure) |
| Risk assessment procedures are documented and implemented in: | - Early stages of technology projects - Before major tech infrastructure changes - During planning and before going live for new technology services and products - Risk assessment procedures are regularly reviewed. | No risk assessment procedures in place | Risk assessment procedures are documented and implemented in 1) early stages of technology projects 2) before major tech infrastructure changes 3) during planning and before going live for new technology services and products. Risk assessment procedures are regularly reviewed. | Please attach a documented sample of a risk assessment procedure |
| Is cyber security considered a strategic risk, integrated into the enterprise risk register and regularly reviewed by the board? | - Yes. The risk register is regularly reviewed and appropriate treatment actions for cyber risks are flowed into the security governance structure. - No | Cyber security is not included in the enterprise risk register. | Cyber security risks are clearly identified, and articulated in sufficient detail in the enterprise risk register. This includes assessing the impact of cyber risks to the business (in business terms). The risk register is regularly reviewed and appropriate treatment actions for cyber risks are flowed into the security governance structure. | Please attach a sample of the cyber security risks that are articulated with your enterprise risk register (Screen Sample or Attachment) |
| With regards to Project Management, what Cyber Security requirements are in place? | - Secure coding standards - Trusted and licensed sources for software development tools and libraries - Secure integration between software components. - The requirements are periodically reviewed. - None | No Cyber Security requirements in place for project management | The Cyber Security requirements related to software and application development projects include secure coding standards, trusted and licensed sources for software development tools and libraries, secure integration between software components. The requirements are periodically reviewed. | Please attach the documented cyber security requirements for project management |
| Do you have a Cyber Security awareness program implemented in which it is covered through secure handling of emails, mobile devices, internet browsing, and use of social media? | - Cyber Security awareness program - Cyber Security training implemented - None | No Cyber Security awareness program in place | Cyber Security awareness program developed and implemented. It covers secure handling of emails, mobile devices, internet browsing, and use of social media. | Kindly attach the cyber security awareness training manual or content |
| Do you have training programs in place for Cyber Security personnel? | -Yes -No | Basic programs implemented on an ad-hoc basis | Training programs implemented and tailored to job functions related to Cyber Security. These programs are periodically reviewed | Kindly attach the cyber security personnel training manual or content |
| Do you have use policy for information and tech assets defined, implemented and regularly reviewed. In which, IT assets must be labelled and classified as per related regulatory requirements | -Yes -No | Asset management policies not implemented | Acceptable use policy for information and tech assets defined, implemented and regularly reviewed. In addition, IT assets must be labelled and classified as per related regulatory requirements | Kindly attach the required policy |
| Do you have measurements in place to prevent storage of patient data on local devices? | -Yes -No | No procedure in place to prevent such event | Defined and implemented procedures in place to prevent storage of patient data on local devices | Please provide the documented procedure to prevent storage of patient data on local devices |
| Which authentication mechanism does your solution support? | - User authentication based on username and pass - Multi factor authentication - Privileged access management. - Single sign-on - No IAM in use | No IAM cyber requirements documented nor implemented | IAM requirements are documented, implemented, and reviewed. They cover user authentication based on username and pass, multi factor authentication, privileged access management and single sign on. | Please provide a screen sample of the authentication mechanism used in your solution |
| Which of the following requirements for the protection of information systems and information processing facilities are documented and implemented | - Firewall implementation - Network segregation (production, testing, deployment) - Security of domain name service - Intrusion prevention and detection systems - None | No requirements documented nor implemented | Requirements are documented, implemented, and periodically reviewed.
-They cover firewall implementation, network segregation (production, testing, deployment), intrusion prevention systems, security of domain name service, etc. - They cover advanced, up-to-date management of malware and virus protection on servers and workstations, Restricted use of external storage media, Patch management for information systems, software and devices | Please specify the implemented solution name and provide a screen sample |
| Is there an Intrusion detection system in place? | -Yes -No | No intrusion detection system in place | Intrusion detection system implemented | Please provide a screen sample of the intrusion detection system used |
| Which of the following requirements do you have for mobile device security, if any? | - Secure wiping of organization's data and information stored on mobile devices and BYOD - Separation and encryption of organization's data and information stored on mobile devices and BYODs - None | No requirements documented nor implemented | Requirements are documented, implemented, and periodically reviewed. They cover Secure wiping of organization's data and information stored on mobile devices and BYOD, Separation and encryption of organization's data and information stored on mobile devices and BYODs, etc. | Please highlight the requirements within the policy and procedure documents (Screen Sample or attachment) |
| Are portable/mobile devices recognized and authorized to operate on network? | -Yes -No | Portable devices are not recognized nor required access to operate on network | Portable/mobile devices are recognized and authorized to operate on network | Please provide a screen sample of the recognition page in the system of the devices operated in the network |
| Can hospital owned devices be remotely wiped if they are lost or stolen? | -Yes -No | Hospital owned devices cannot be remotely wiped if they are lost or stolen | Hospital owned devices can be remotely wiped if they are lost or stolen | Please provide a screen sample of the ability in the system to perform that option |
| Is there a Data destruction policy in place, if so how often is it reviewed? | - Quarterly - Half Yearly - Yearly - None | No data destruction policy in place | Data destruction policy is documented and regularly reviewed | Please attach the data destruction policy |
| which of the data and information protection requirements to ensure confidentiality, privacy, integrity and availability of organization's data and information exists? | - Data and information ownership - Data and information classification and labelling mechanisms - Data and information privacy - None | No requirements documented nor implemented | Requirements for protecting and handling data and information are documented, implemented, and periodically reviewed. They cover data and information ownership, data and information classification and labelling mechanisms, data and information privacy. | Kindly highlight the requirements for handling and protecting data and information in the related document (Screen Sample or attachments) |
| Which of the following data-related policies are documented in your organization? | - Data privacy policy - Data protection policy - Data storage policy - Data release policy - Data security policy | No data policies exist | Data privacy, protection, storage, release and security policies are documented, regularly reviewed, and amended when necessary | Please attach the available data policies as per the box selection |
| Which incident and threat management requirements are in place in which they are documented, implemented, and periodically reviewed? | - Vulnerability assessments - PEN testing -Event logs and monitoring management - Incident and threat management - None | No requirements documented nor implemented | Requirements are documented, implemented, and periodically reviewed. They cover vulnerability assessments, PEN testing, event logs and monitoring management, and incident and threat management | Kindly highlight the requirements for incident and threat management in the related document (Screen Sample or attachment) |
| Do you have proper physical security requirements in place to protect against unauthorized physical access, loss, theft and damage? (Select applicable options from the list below) | - Authorized access to sensitive areas within the organization (e.g., data center) - Facility entry/exit records and CCTV monitoring - Secure destruction and re-use of physical assets that hold classified information, etc. - None | No requirements documented nor implemented | Requirements are documented, implemented, and periodically reviewed. They cover authorized access to sensitive areas within the organization (e.g., data center), facility entry/exit records and CCTV monitoring, secure destruction and re-use of physical assets that hold classified information, etc. | Kindly highlight the requirements for backup and recovery management in the related document (Screen Sample or attachments) |
| Do you have proper web application requirements to protect against cyber risks? | - Use of web app firewalls - Secure protocols (e.g. HTTPS) - Secure usage policy for users - Others - None | No requirements documented nor implemented | Requirements are documented, implemented, and periodically reviewed. They cover use of web app firewalls, secure protocols (e.g. HTTPS), secure usage policy for users, etc. | Kindly highlight the requirements for web application management in the related document (Screen Sample or attachment) |
| Kindly select the proper Cyber Security resilience requirements that are implemented within the organization's business continuity management to remediate and minimize the impacts on systems, and digital services? (if any) | - Plan for continuity of Cyber Security systems and procedures - Response plans for Cyber Security incidents - Disaster recovery plans. - None | No business continuity requirements documented nor implemented | Cyber security requirements for business continuity are documented, implemented, and periodically reviewed. They cover continuity of Cyber Security systems and procedures, response plans for Cyber Security incidents, disaster recovery plans. | Kindly attach the required plans from the question's answer options |
| Have disaster recovery processes for critical systems been tested and audited and regularly reviewed? | -Yes -No | No tests or audits conducted | Tests and audits regularly conducted to identify and rectify gaps | Kindly provide a screen sample of the recovery testing reports (No need to show the results) |
| Which of the following applies for Third-Party and Cloud Computing Cyber Security in your organization? | - Cloud computing security requirements are documented, implemented, and periodically reviewed - The organization has a centralised online database of suppliers. - All details populated and regularly updated. - Supplier onboarding process ensures that database is maintained. - Policies and procedures around the use of informal suppliers are disseminated and understood by all staff. - Regular supplier reviews are carried out. - None | There is no central list or database of suppliers. The organisation has no control over the use of informal suppliers such as Dropbox. | Centralised online database of suppliers. All details populated and regularly updated. Supplier onboarding process ensures that database is maintained. Policies and procedures around the use of informal suppliers are disseminated and understood by all staff. Regular supplier reviews are carried out. | Please provide the following evidence: - - Attachment of Cloud computing security requirements document - Screen Sample of the online database of suppliers - Attachment of supplier onboarding process - Attachment of policies and procedures for the use of informal suppliers |
| Which Cyber Security requirements in regard to third parties including outsourcing and managed services apply? | - Cyber security requirements for third parties are documented, implemented, and periodically reviewed - They cover non-disclosure clauses and secure removal of organization's data by third parties upon end of service - They include communication procedures in case of Cyber Security incidents, etc. - None | No third-party requirements documented nor implemented | Cyber security requirements for third parties are documented, implemented, and periodically reviewed. They cover non-disclosure clauses and secure removal of organization's data by third parties upon end of service, Communication procedures in case of Cyber Security incidents, etc. | Please provide the following items: - Attach Cyber Security Requirements Document - Attach Non-disclosure clauses - Attach the procedure document used in the case of cyber security incidents
|