Professional Documents
Culture Documents
MINISTRY OF INTERIOR
HIGH COMIVIISSION FOR INDUSTRIAL SECURITY
SECURITY DIRECTIVES
FOR INDUSTRIAL FACILITIES
SEC-12
Information Protection
T
Q
Table of Contents
1.0. ADMINISTRATION
3.0. REFERENCES............
1.0. Administration
1.1. Scope
This directive provides the minimum requirements for companies, and establishments,
that are subject to the supervision of the High Commission for Industrial Security
(HCIS), Ministry of Interior, for information protection.
1.2. Application
This Directive is applicable to all facilities, including new projects, the expansion of
existing facilities, and upgrades. For application to existing facilities, the Operator
shall assess his facilities against the requirements of these Directives and coordinate
with the General Secretariat of the High Commission for Industrial Security (HCIS) to
comply with the Security, Safety, and Fire Protection requirements according to these
Directives and add to or modify the existing facilities as required. Where the HCIS
has assessed deficiencies in existing facilities during a survey, comparing the current
state of the facilities to the requirements of these Directives, those identified
deficiencies shall be corrected by the Operator.
RESTRICIBD
All Rights reserved to HCIS. Copying or disuibation prohibited without written permission from HCIS
Page 3 of12
¢:="{’.%t§7'»3 {”~i t
Kingdom of Saudi Arabia T no t-.40 to la
g
iv. .
¢cJ.~.a.l|o.?JL;l...ll1.-.:£.t
High Commission for Industrial Security
Secretariat General Iul...il1JL-SH
Information Protection
2.0. Definitions
RESTRICTED
All Rights reserved to HCIS . Copying or distribution prohibited without written permission from HCIS
Page 4 of 12
Kingdom of Saudi Arabia 4?‘: liffiiélll
1: -'L..._;1:‘-l-til 53!},
Ministry of interior )6
High Commission for [ndustriai Security
Secretariat General M-Jl built
management.
Risk Combination of the probability of an event and its
consequence.
[ISO/IEC Guide 73 :2002]
Third P3"! The person or body that is recognized as being independent
ofthe parties involved, as concerns the issue in question.
[ISO/IEC Guide 2:1996]
Threat A potential cause of an unwanted incident, which may
result in harm to a- system or organization.
[ISO/IEC 13335-1:2004]
Vulnerability A weakness of an asset or group of assets that can be
exploited by one or more threats.
[ISO/IEC 13335-1 12004]
3.0. References
This directive adopts the latest edition ofthe references listed.
The selection of material and equipment, and the design, construction, maintenance,
operation and repair of equipment and facilities covered by this SD shall compiy with
the latest edition of the references listed in each SD, uniess otherwise noted.
RESTRICTED
All Rights reserved to HCIS. Copying or distribution prohibited without written permission from HCIS
Page 6 of 12
Kingdom of Saudi Arabia r-E,§?’,,.j*".ll,.‘_ff’,§ll,*’_c2-11.5
=-up
Ministry of Interior -X 4.-5:‘-‘Mil 5313;
High Commission for Industrial Secunty gt.-...=JI ,3-'>U U-J‘ -’v—.$'
Secretariat General our cl.-SM
SEC-12 Information Protection
4.1.1. Operator shall set clear direction to protect critical information assets
through the issue and maintenance of an information security policy
across Industrial Security.
4.1.4. All documents, drawings, computer data, etc. shall remain the property of
the company and may not be removed without express permission of the
company.
and
4.2.2. Clear roles and responsibilities of information owners, users
to
information security Managers shall be established and documented
the
ensure effective information security implementation within
organization.
4.3.1. Information assets shall have owners, as applicable, who are responsible
may be
for the protection of their assets. Implementation of controls
delegated by the Operator as appropriate.
to classify
4.3.2. An Information Classification Policy shall be defined
that is used to ensure special
information assets according to a structure
protection and handling measures for sensitive information.
and
4.3.3. Operator shall maintain an inventory of all important information
physical assets.
related items
4.3.4. Operator shall perform periodic audits to ensure all security
of the
are accounted for. The audit shall consist of a physical comparison
discrepancies
item to the inventory list. Operator shall ensure that any
The system may be
should are resolved if possible and/or reported.
designed so that an owner is assigned to each item (for accountability)
to its
and a record kept of the item's every movement from its generation
destruction.
and third
4.4.1. Security roles and responsibilities of employees, contractors
with Industrial
party users shall be defined and documented in accordance
Security’s information security policy.
an agreement or
4.4.2. Employees, contractors and third party users shall sign
assets and
statement of understanding on their use of information
facilities.
% ‘s—'—.i='-U3‘ 337.3;
Ministry of Interior ,.,su.A1,-,-S0 L.LJI 2.15%
W
High Commission for Industrial Security 34-1‘ ill»-‘ll
Secretariat General
SEC-12 Information Protection
or third
that employees, contractors,
4.4.3. Procedures shall be in place to ensure of all
is managed, including the return
party user‘s exit from the company
of their access rights.
company equipment and the removal
Management
4.6. Communications & Operations
and made
procedures shall be documented, maintained,
4.6.1. Operating
them.
available to all users who need
to reduce
implemented, where appropriate,
4.6.2. Segregation of duties shall be
systems misuse.
the risk of negligent or deliberate
and tested
and software shall be taken
4.6.3. Back-up copies of information
company backup policy.
regularly in accordance with the
be protected
systems and applications shall
4.6.4. Company computer networks,
from unauthorized access. security
exceptions, and inform ation
4.6.5. Audit logs that record user activities, access and
protected from unauthorized
events shall be produced and
reviewed on an ongoing basis. reviews,
agreed period to assist in future
4.6.6. Audit logs shall be kept for an The
possible forensic investigations.
access control monitoring and legal
shall be long enough for operational,
retention period for audit logs
or disaster recovery purposes.
and
and procedures shall be in place to report promptly
4.8.2. Responsibilities within the organization.
information security incidents
resolve
4.10. Compliance
operation, and use
2 to ensure that the design,
Processes shall be established internal policies
4.12.1
systems comply with this document and
of information
of the organization. systems to
regular reviews of Information
4.12.2 Organizations shall perform procedures.
and
defined security policies
ensure compliance with
W
i._.__Ja'-LLii$_',i:3_,
Ministry of Interior
S;-i:..:ii‘-,~'5'i.i'L.-iI'3'3-‘—.“
High Commission for Industrial Security
1.-bdi aauiii
Secretariat General
SEC-12 Information Protection
This section lists how the elements of this security directive apply to facilities depending on
their classification using the criteria stated in section 4.2 of SEC-01.
APPLICATION
Asset Management
Access Control
RESTRICTED
permission from HCIS
All Rights reserved to H015. Copying or distribution prohibited without written
Page 12 of 12