KINGDOM OF SAUDI ARABIA V

MINISTRY OF INTERIOR
HIGH COMIVIISSION FOR INDUSTRIAL SECURITY

SECURITY DIRECTIVES
FOR INDUSTRIAL FACILITIES

SEC-12

Information Protection

T
Q

Issue Date: 12/6fI43[l-I I26/05./2010

RESTRICTED
AH Rights reserved to HCIS. Copying or distribution prohibited without written permission from HCIS
 E-viz
Kingdom of Saudi Arabia I.-1*.’ ».>:un::4.”r /,=.~:m
.
ha 00 9/

Ministry of Interior i____.ia‘-l_L.ii5;ijJ

High Commission for industrial Security i,;“=-#5‘ J5” ‘--W‘ 1*-*5‘

Secretariat General ‘'55’ “'5”
SEC—l2 Information Protection

Table of Contents

1.0. ADMINISTRATION

1.1. SCOPE .................. ..

1.2. APPLICATION
1.3. CONFLICTS & DEVIATIONS

2.0. DE¥INrrIONS . ...................

3.0. REFERENCES............

4.0. GENERAL REQUIREMENTS .................................... ....7

4.1. Sscumw Poucv . . . . .. . . ... . . . ... . . . . . . . ..

4.2. ORGANIZATION OF INFORMAUON SECURITY ................................................................. ..7
4.3. Assn MANAGEMENT ...................................................... .. ---.8
4.4. HUMAN RESOURCES SECURlTY.... T
4.5. PHYS!CAL & ENVIRONMENTAL Secunmr ..................................................................................................... .. 9
4.6. COMMUNICATIONS & OPERATIONS MANAGEMENT ...................................................................................... .. 9
4.7. AccEss CONTROL . . . .. . . . .. . . .. . . . .. . . . . . . . .. 10
4.8. INFORMATION Sscuruw INCIDENT MANAGEMENT .....................
4.9. BUSINESS Cormnurrv MANAGEMENT . . . .. .. . . . ..11
4.10. COMPLIANCE .. . . .. . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . ... . . . . . . .. . . . . . .. . .. .. . . . .. . . . .. 11

5.0. APPLIcA110N OF REQUEREMENTS

Issue Date: 12f6Il43I}II26.~'0Sn0l0

’ RESTRICTED
Ail Rights reserved to I-ICIS. Copying or distribution prohibited without written pennissicm from HCIS
Page 2 of 12
Kingdom of Saudi Arabia .+?-,Q?“’,,..f-j.l =,i_‘,.;,;’J,§l,=‘,§1l.l
T
Ministry of Interior E :_'.1swI 53'};
High Commission for Industrial Security g gt--:21‘ .;,«5U WI 12.49
Secretariat General our evil I

SEC-12 Information Protection

1.0. Administration

1.1. Scope

This directive provides the minimum requirements for companies, and establishments,
that are subject to the supervision of the High Commission for Industrial Security
(HCIS), Ministry of Interior, for information protection.

1.2. Application

This Directive is applicable to all facilities, including new projects, the expansion of
existing facilities, and upgrades. For application to existing facilities, the Operator
shall assess his facilities against the requirements of these Directives and coordinate
with the General Secretariat of the High Commission for Industrial Security (HCIS) to
comply with the Security, Safety, and Fire Protection requirements according to these
Directives and add to or modify the existing facilities as required. Where the HCIS
has assessed deficiencies in existing facilities during a survey, comparing the current
state of the facilities to the requirements of these Directives, those identified
deficiencies shall be corrected by the Operator.

1.3. Conflicts & Deviations

Where implementation of a requirement is unsuitable or impractical, where other

equivalent company or industry Standards and Codes are followed, or where any
conflict exists between this Directive and other company standards and Codes, the
deviations shall be resolved by the HCIS. Deviation lower than the requirements of
this directive shall be listed and submitted in a report of compliance or non-
compliance, with justification and reason, for each applicable requirement of these
security directives, and approval shall be received from the I-ICIS prior to
implementation. The documents shall be retained by the company in its permanent
engineering files.

Issue Date: 12f6Il43lH I 26f05f20l0

RESTRICIBD
All Rights reserved to HCIS. Copying or disuibation prohibited without written permission from HCIS
Page 3 of12
 ¢:="{’.%t§7'»3 {”~i t
Kingdom of Saudi Arabia T no t-.40 to la

Ministry of Interior X :_-,L,-.l.t5I;',I',-_,

g
iv. .
¢cJ.~.a.l|o.?JL;l...ll1.-.:£.t
High Commission for Industrial Security
Secretariat General Iul...il1JL-SH

Information Protection

2.0. Definitions

HCIS High Commission for Industrial Security. The HCIS is part

of the Ministry of the Interior. It is responsible for the
development, and implementation, of security, safety and
fire protection strategies Kingdom-wide.
Operator Company or owner of a facility.
Shall Indicates a mandatory requirement.
Should Indicates a recommendation or that which is advised but
not required.
Access Control Restricted access to resources other than to privileged
entities.
Audit Logs Files or prints of information in chronological order that
record a particular computer or system event.
Authentication A process that establishes the origin of information, or
determines an entity's identity.
Authorization Access privileges granted to an entity; conveys an "official"
sanction to perfonn a security function or activity.
Backup A reserve copy of data that is stored separateiy from the
originai, for use ifthe original becomes lost or damaged.
Confidentiality The property that sensitive information is not disclosed to
unauthorized individuals, entities, or processes.
Control Means of managing risk, including policies, procedures,
guidelines, practices or organizational structures, which can
be of administrative, technical, management, or legal
nature.

NOTE: Control is also used as a synonym for safeguard or

countenneasure.
Encryption The process of obscuring information using a cryptographic
algorithm to make it unreadable without special knowledge.
Firewall A piece of hardware or soflware which functions in a

Issue Date: 1216114313 /26IflSI2.llI0

RESTRICTED
All Rights reserved to HCIS . Copying or distribution prohibited without written permission from HCIS
Page 4 of 12
Kingdom of Saudi Arabia 4?‘: liffiiélll
1: -'L..._;1:‘-l-til 53!},
Ministry of interior )6
High Commission for [ndustriai Security
Secretariat General M-Jl built

SEC-12 Information Protection

networked environment to prevent communications

forbidden by security policy.
Industrial Any processing facility such as refineries, water treatment
Processing plants, petrochemical plants,. . . .etc.
Facilities

Information Asset Infonnation records that are of significant value to the

organization.
Information Any information processing system, service or
Processing infrastructure, or the physical locations housing them.
Facilities

Information Preservation of confidentiality, integrity and availability of

Security information. In addition, other properties, such as
authenticity, accountability, non-repudiation, and reliability
can also be involved.
Information An information security event is an identified occurrence of
Security Event a system, service or network state indicating a possible
breach of information security policy or failure of
safeguards, or a previously unknown situation that may be
security relevant.
« [ISO/IEC TR 180442004]
information An information security incident is indicated by a single or
Security Incident a series of unwanted or unexpected information security
events that have a significant probability of compromising
business operations and threatening information security.
[ISO/IEC TR 180442004]
Integrity The property that sensitive data have not been modified or
deleted in an unauthorized and undetected manner.
ISA “The Instrumentation, Systems, and Automation Society”.
ISA is a leading, global, nonprofit organization that sets
standards for automation.
Password A form of secret authentication data that is used to control
access to a resource.

Policy Overall intention and direction as formally expressed by

Issue Date: I216/I431}! I26I|}5f20l|J

RESTRICTED
All Rights reserved to HCIS. Copying or distribution prohibited without written permission from I-ICIS
Page 5 of 12
Kingdom of Saudi Arabia
if
Ministry of Interior Eé
High Commission for Industrial Security g ._,r«t»a-ll ._'/3U U21‘ '4=.-$1
Secretariat General 1-125! 15W‘
SEC-12 Information Protection

management.
Risk Combination of the probability of an event and its
consequence.
[ISO/IEC Guide 73 :2002]
Third P3"! The person or body that is recognized as being independent
ofthe parties involved, as concerns the issue in question.
[ISO/IEC Guide 2:1996]
Threat A potential cause of an unwanted incident, which may
result in harm to a- system or organization.
[ISO/IEC 13335-1:2004]
Vulnerability A weakness of an asset or group of assets that can be
exploited by one or more threats.
[ISO/IEC 13335-1 12004]

3.0. References
This directive adopts the latest edition ofthe references listed.
The selection of material and equipment, and the design, construction, maintenance,
operation and repair of equipment and facilities covered by this SD shall compiy with
the latest edition of the references listed in each SD, uniess otherwise noted.

ISOIIEC TR 13335 Information Technology; Guidelines for the management of

IT Security

Issue Date: 111611431]-I I 26!05.l20l0

RESTRICTED
All Rights reserved to HCIS. Copying or distribution prohibited without written permission from HCIS
Page 6 of 12
Kingdom of Saudi Arabia r-E,§?’,,.j*".ll,.‘_ff’,§ll,*’_c2-11.5
=-up
Ministry of Interior -X 4.-5:‘-‘Mil 5313;
High Commission for Industrial Secunty gt.-...=JI ,3-'>U U-J‘ -’v—.$'
Secretariat General our cl.-SM
SEC-12 Information Protection

4.0. General Requirements

All security data shall be safeguarded by physical and procedural methods and
dissemination iimited to authorized personnel. The Operator shall take tangible,
documented steps to ensure compliance with this general policy and with this
directive.

4.1. Securig; Policy

4.1.1. Operator shall set clear direction to protect critical information assets
through the issue and maintenance of an information security policy
across Industrial Security.

4.1.2. Information security policies shall be reviewed, either at planned intervals

or when significant changes occur, to ensure their suitability and
effectiveness.

4.1.3. All employees and contractors shall be required to sign an undertaking to

not reveal any information related to the company.

4.1.4. All documents, drawings, computer data, etc. shall remain the property of
the company and may not be removed without express permission of the
company.

4.2. Organization of Information Security

4.2.1. A Management framework for information security shall be established to

manage information security effectively within Industrial Security.

Issue Date: 1216114311-[K290512010

RESTRICTED
All Rights reserved to HCIS. Copying or distribution prohibited without written permission from I-ICIS
Page 7 of 12
Kingdom of Saudi Arabia if
)6
Ministry of Interior
._,vb.aJ‘ .-,->‘5 W‘ 34.14
High Commission for Industrial Secunty
but ist-SH
Secretariat General
SEC-12 Information Protection

and
4.2.2. Clear roles and responsibilities of information owners, users
to
information security Managers shall be established and documented
the
ensure effective information security implementation within
organization.

4.3. Asset Management

4.3.1. Information assets shall have owners, as applicable, who are responsible
may be
for the protection of their assets. Implementation of controls
delegated by the Operator as appropriate.
to classify
4.3.2. An Information Classification Policy shall be defined
that is used to ensure special
information assets according to a structure
protection and handling measures for sensitive information.
and
4.3.3. Operator shall maintain an inventory of all important information
physical assets.
related items
4.3.4. Operator shall perform periodic audits to ensure all security
of the
are accounted for. The audit shall consist of a physical comparison
discrepancies
item to the inventory list. Operator shall ensure that any
The system may be
should are resolved if possible and/or reported.
designed so that an owner is assigned to each item (for accountability)
to its
and a record kept of the item's every movement from its generation
destruction.

4.4. Human Resources Securigg

and third
4.4.1. Security roles and responsibilities of employees, contractors
with Industrial
party users shall be defined and documented in accordance
Security’s information security policy.
an agreement or
4.4.2. Employees, contractors and third party users shall sign
assets and
statement of understanding on their use of information
facilities.

Issue Date: l2I6ll431H I 26105/2010

RESTRICTED
without written permission from HCIS
All Rights reserved to HCIS. Copying or distribution prohibited
Page 8 of 12
 *5’: Y
. '
g . rfi

Kingdom of Saudi Arabia

n -
s

% ‘s—'—.i='-U3‘ 337.3;
Ministry of Interior ,.,su.A1,-,-S0 L.LJI 2.15%
W
High Commission for Industrial Security 34-1‘ ill»-‘ll
Secretariat General
SEC-12 Information Protection

or third
that employees, contractors,
4.4.3. Procedures shall be in place to ensure of all
is managed, including the return
party user‘s exit from the company
of their access rights.
company equipment and the removal

4.5. Physical & Environmental Security

from
protected to reduce the risks
4.5.1. Equipment shall be sited or access.
threats, hazards, or unauthorized
environmental
electronic
to ensure that sensitive data on
4.5.2. Procedures shall be established to media
securely overwritten prior
storage media are removed or
disposal.
media are
ensure that electronic storage
4.5.3. Procedures shall be in place to
needed.
disposed off properly when no longer

Management
4.6. Communications & Operations

and made
procedures shall be documented, maintained,
4.6.1. Operating
them.
available to all users who need
to reduce
implemented, where appropriate,
4.6.2. Segregation of duties shall be
systems misuse.
the risk of negligent or deliberate
and tested
and software shall be taken
4.6.3. Back-up copies of information
company backup policy.
regularly in accordance with the
be protected
systems and applications shall
4.6.4. Company computer networks,
from unauthorized access. security
exceptions, and inform ation
4.6.5. Audit logs that record user activities, access and
protected from unauthorized
events shall be produced and
reviewed on an ongoing basis. reviews,
agreed period to assist in future
4.6.6. Audit logs shall be kept for an The
possible forensic investigations.
access control monitoring and legal
shall be long enough for operational,
retention period for audit logs
or disaster recovery purposes.

Issue Date: 1216!]-‘£311! l26J'0Sf10lD

RESTRICTED HCIS
or distribution prohibited without written permission from
All Rights reserved to HCIS. Copying
Page 9 of 12
 iidzf.
Kingdom of Saudi Arabia T =\_‘._.l.-—-I-0| 33%},
X‘
Ministry of Interior
High Commission for Industrial Security cuss 2.-cs»
Secretariat General
SEC-12 Information Protection

networks, outside the company

4.6.7. Sensitive data traveling over the public
network shall be encrypted as applicable.
devices, firewalls etc shall be
4.6.3. Operating systems, databases, network
security hardened according to vendor guidelines or internally
documented technical standards.

4.7. Access Control

and information processing

4.7.1. Access to the organization’s information
the basis of organization’s business
facilities shall be controlled on
requirements.
user registration, de—rcgistration
Procedures shall be in place to control
4.7.2.
allocation of access rights and
when no longer required, and the
privileges.
and/or other technologies used for
4.7.3. The allocation of user ID’s/passwords,
such as biometrics, finger—print
identification and authentication purposes smart
and hardware tokens such as
verification, signature verification,
through formal management
cards, etc. shalt be managed and controlled
processes.
or other identification
4.7.4. Users shall have unique user IDs/Passwords, and authentication to access
methods, to ensure their proper identification
data and computer systems.
as needed, to maintain effective
4.7.5. User access rights shall be reviewed,
information services.
control over access to data and
their responsibilities for maintaining
4.7.6. Users shall be made aware of and the
regarding the use of passwords
effective access control, especially
security of user-assigned equipment.

4.8. Infonnation Security Incident Management

shall be in place to monitor information

4.8.1 . Responsibilities and procedures
security incidents within the organization.

Issue Date: 1216/1431]-I I ZGIBSDOIO

RESTRICTED
permission from HCIS
Rights reserved to HCIS. Copying or distribution prohibited without written
All
Page 10 of 12
 i/’ i
‘:"”"‘:4' ii‘?
Kingdom of Saudi Arabia T 1-:-.-l>"-5‘ 53*}:
Y
Ministry of Interior ._,='r-all L-3'5‘! ‘~—.ia5‘ 1:.-<5‘
Security g
High Commission for Industrial but an
Secretariat General
SEC-12 Information Protection

and
and procedures shall be in place to report promptly
4.8.2. Responsibilities within the organization.
information security incidents
resolve

4.9. Business Continuity Management

information
Continuity Plan for Industrial Security’s critical and
A Business
4.9.1.
shall be developed, implemented, tested periodically in the
systems
of essential business operations,
maintained to ensure the continuity sabotage, malicious
disasters, accidents,
event of natural or man-made
failures.
code, virus, and equipment
information
to implement the needed
4.9.2. Procedures shall be established continuity requirements.
backup for operational and business

4.10. Compliance
operation, and use
2 to ensure that the design,
Processes shall be established internal policies
4.12.1
systems comply with this document and
of information
of the organization. systems to
regular reviews of Information
4.12.2 Organizations shall perform procedures.
and
defined security policies
ensure compliance with

Issue Date: l2:'6/1431HI 2610512016}

RESTRICTED from HCIS
Oopying or distribution prohibited without written pennission
All Rights reserved to HCIS.
Page 11 ofl2
 z-’W‘<'- 5''»? {/4
Kingdom of Saudi Arabia
sic 1,, an L

W
i._.__Ja'-LLii$_',i:3_,
Ministry of Interior
S;-i:..:ii‘-,~'5'i.i'L.-iI'3'3-‘—.“
High Commission for Industrial Security
1.-bdi aauiii
Secretariat General
SEC-12 Information Protection

5.0. Application of Requirements

This section lists how the elements of this security directive apply to facilities depending on
their classification using the criteria stated in section 4.2 of SEC-01.

APPLICATION

ELEMENT Class 2 Class 3 Ciass 4

Security Policy '\ '\ \

Organization of Information Security

Asset Management

Human Resources Security

Physical & Environmeniai Security

Communications 8. Operations Management

Access Control

Information Systems Deveiopmen! -85

Maintenance

Information Security Incident Management

Business Continuity Management

Compiiance \ \'\'\ ‘\ '\'\ xxxxx ‘\'\'\’\’\ '\ \

Issue Date: l2l6Il43ll-If 26fB5f20l0

RESTRICTED
permission from HCIS
All Rights reserved to H015. Copying or distribution prohibited without written
Page 12 of 12