Professional Documents
Culture Documents
Workstream 2 - NNCC Control Document - Arabic-V1.0
Workstream 2 - NNCC Control Document - Arabic-V1.0
مقيد – داخلي
مـقـيــــد
مقيد – داخلي
مـقـيــــد
مقيد – داخلي
مـقــيــد
ضوابط األمن السيبراني للشبكاتـ الوطنية إشـــــــارة المشاركة :أبــيــض
تم إنشاء نظام بروتوكول اإلشارة الضوئية لمشاركة أكبر قدر من المعلومات ويستخدم على نطاق واسع حول العالم.
وهناك أربعة ألوان (إشارات ضوئية):
المستلم ال يحق له مشاركة المصنف باإلشارة الحمراء مع أي فرد سواء من داخل او خارج المنشأة خارج النطاق المحدد
لالستالم.
المستلم باإلشارة البرتقالية يمكنه مشاركة المعلومات في نفس المنشأة مع األشخاص المعنيين فقط ،ومن يتطلب األمر منه اتخاذ إجراء
يخص المعلومة.
حيــث يمكنــك مشــاركتها مــع آخريــن مــن منشــأتك أو منشــأة أخــرى علــى عالقة معكــم أو بنفس القطاع ،وال يسمح
بتبادلها أو نشرها من خالل القنوات العامة.
Table of Contents
Executive Summary...............................................................................................................................7
Introduction...........................................................................................................................................8
Objectives..............................................................................................................................................9
National Networks...............................................................................................................................10
Definition of National Networks.....................................................................................................10
Network Categorization Methodology.............................................................................................10
Scope of Work and Applicability........................................................................................................11
NNCC Scope of Work.....................................................................................................................11
NNCC Statement of Applicability...................................................................................................11
Implementation and compliance..........................................................................................................12
Update and Review..............................................................................................................................12
NNCC Domains and Structure............................................................................................................13
Domains and subdomains................................................................................................................13
Notation...........................................................................................................................................15
Structure..........................................................................................................................................16
The National Networks Cybersecurity Controls..................................................................................17
1. Cybersecurity Governance...................................................................................................17
2. Cybersecurity Defense.........................................................................................................23
3. Cybersecurity Resilience.....................................................................................................40
4. Third-Party Cybersecurity....................................................................................................42
Appendices..........................................................................................................................................43
Appendix (A): Applicability of controls to network elements.........................................................43
Appendix (B): Applicability of controls to network nature..............................................................51
Appendix (C): List of Abbreviations...............................................................................................58
Appendix (D): Terms and Definitions.............................................................................................59
List of Tables
Table 1. NNCC Methodological Structure for a Domain.......................................................................................
Table 2. NNCC Applicability by Network Element...............................................................................................
Table 2. NNCC Applicability by Network Nature.................................................................................................
List of Figures
Figure 1. NNCC Main Domains and Subdomains.................................................................................................
Figure 2. NNCC Control Document Coding Scheme............................................................................................
Figure 3. NNCC Main Domain, Subdomain, Main Control and Subcontrol Structure..........................................
الملخص التنفيــــذي
The Kingdom of Saudi Arabia is fast becoming a regional leader in digital society, following a
continuous and rapid digital transformation, borne out of the Kingdom’s Vision 2030 strategy.
Citizens are benefitting from increased digitalization of services and greater access to the connected
world, and local business and government alike are increasing their capabilities through the adoption
of emerging technologies. Essential to this ongoing transformation is a secure and well-functioning
national IT infrastructure that supports the flow of data between various stakeholders in a smooth and
dependable manner.
نتج عن،ريع// /تمر وس// /ول رقمي مس// /د تح// / بع،رقمي// /ع ال// /ة في المجتم// /دة إقليمي// /عودية رائ// /ة الس// /ة العربي// /بحت المملك// /أص
ول إلى//ادة الوص//دمات وزي//ة الخ//ادة رقمن//ون من زي//تفيد المواطن// يس.2030 عودية//ة الس//ة العربي//ة المملك//تراتيجية رؤي//اس
.ئة/ات الناش/اد التقني/ وتعمل الشركات المحلية والحكومة على حد سواء على زيادة قدراتهم من خالل اعتم،العالم المتصل
ات/دفق البيان/دعم ت/ات ت/ة المعلوم/دة األداء لتقني/ة وجي/ة آمن/ة وطني/ة تحتي/ود بني/تمر وج/ول المس/ذا التح/روري له/ومن الض
.بين مختلف الجهات المعنية بطريقة سلسة ويمكن االعتماد عليها
It has been the role of the National Cybersecurity Authority (NCA), since its establishment on
11/2/1439H to ensure that the digital ecosystem of the Kingdom is secured through appropriate
cybersecurity policies, mechanisms, frameworks, standards, controls, and guidelines and also through
a continuous monitoring of the compliance of organizations.
هـ ضمان تأمين النظام البيئي الرقمي للمملكة1439/2/11 ) منذ إنشائها فيNCA( لقد كان دور الهيئة الوطنية لألمن السيبراني
أيضا من خالل المراقبة المستمرة.من خالل سياسات وآليات وأطر ومعايير وضوابط وإ رشادات األمن السيبراني المناسبة
.لتطبيقها من قبل الجهات
NCA’s mandate states that its responsibility for cybersecurity does not absolve any public, private or
other organization from its own cybersecurity responsibilities. To this end, NCA developed the
National Networks Cybersecurity Controls (NNCC – 1: 2021). As an extension to the Essential
Cybersecurity Controls (ECC – 1: 2018) and Critical Systems Cybersecurity Controls (CSCC – 1:
2019), this document focuses on nationally relevant networks, termed ‘National Networks’, whose
compromise would result in negative economic, financial, security or social impacts on the national
level1. Nonetheless, due to the different degrees of national relevance of such networks, they can be
further categorized into three security levels (Low, Medium, and High), for which tailored
cybersecurity controls are applied.
ة أو// / ة عام// /يبراني ال تعفي أي مؤسس// /ؤوليتها عن األمن الس// / على أن مسNCA يبراني// / ة لألمن الس// / ة الوطني// /ات الهيئ// /تنص تنظيم
بكات/يبراني للش/وابط األمن الس/ ضNCA ورت/ ط،ة/ذه الغاي/ا له/ تحقيق.يبراني/األمن الس/ة ب/ؤولياتها الخاص/ا من مس/خاصة أو غيره
يبراني// وابط األمن الس// ) وضECC - 1: 2018 ( ية// يبراني األساس// وابط األمن الس// داد لض// كامت.)NNCC- 1: 2021( ة// الوطني
`` ا/ق عليه/تي يطل/ وال،ني/عيد الوط/لة على الص/ تركز هذه الوثيقة على الشبكات ذات الص،)CSCC - 1: 2019( لألنظمة الحرجة
ة أو//ة أو األمني//ار المالي// اآلث،) negative economic (لبي//اد الس//ط إلى االقتص//ا الوس//ؤدي حله//د ي//تي ق// وال،‘' ة//بكات الوطني//الش
1
The full criteria for National Networks can be found in the “Network Categorisation Methodology” document.
االجتماعي//ة على المس//توى الوط//ني .وم//ع ذل//ك ،نظ/ً /را الختالف درج//ات األهمي//ة الوطني//ة له//ذه الش//بكات ،يمكن تص//نيفها بش//كل أك//بر
إلى ثالثة مستويات أمان (منخفضة ومتوسطة وعالية) ،والتي تُطبق عليها ضوابط مخصصة لألمن السيبراني.
The NNCC was developed taking into consideration international and national frameworks and
standards that were deemed best practice. As such, the NNCC consists of the following:
4 Cybersecurity Domains
29 Cybersecurity Subdomains
55 Cybersecurity Main Controls
179 Cybersecurity Subcontrols
تم تط //وير NNCCم //ع األخ //ذ في االعتب //ار أفض //ل الممارس //ات واألط //ر والمع //ايير الدولي //ة والوطني //ة .وبن //اء على ذل //ك،
تتكون NNCCمما يلي:
) 4مكونات أساسية لضوابط األمن السيبراني( Cybersecurity Domains 4
To ensure the continuous compliance by organizations, NCA issued the Assessment and Compliance
Tool (NNCC – 1: 2021 Assessment and Compliance Tool). Nonetheless, in order to be fully
compliant with these controls, organizations are mandated to comply with ECC and other applicable
controls.
لض//مان االمتث//ال المس//تمر من قب//ل الجه//ات /،أص//درت الهيئ//ة الوطني//ة لألمن الس//يبراني NCAأداة التق//ييم واالمتث//ال ( NNCC - 1:
2021أداة التق// /ييم واالمتث// /ال) .وم// /ع ذل// /ك ،من أج// /ل االمتث// /ال الكام// /ل له// /ذه الض// /وابط ،يتم تكلي// /ف المؤسس// /ات باالمتث// /ال لـ ECC
والضوابط األخرى المعمول بها.
المــقـــدمــة
The National Networks Cybersecurity Controls (NNCC – 1: 2021) was created by the National
Cybersecurity Authority (hereinafter, the “NCA”) to provide adequate cybersecurity coverage for
National Networks. The controls act as an extension to both the Essential Cybersecurity Controls
(ECC – 1: 2018), which includes the minimum cybersecurity requirements for information and
technology assets in organizations, and the Critical Systems Cybersecurity Controls (CSCC – 1:
2019), which includes an additional layer of cybersecurity coverage for Critical Systems within the
Kingdom.
( ة/ة الوطني/يبراني لألنظم/وابط األمن الس/دار ض/ة)؛ بإص/ة بـ (الهيئ/قامت الهيئة الوطنية لألمن السيبراني ويشار لها في هذه الوثيق
) وهيECC – 1: 2018 ( حيث جاء تطوير هذه الوثيقة المتضمنة للضوابط األساسية لألمن السيبراني، )NNCC – 1: 2021
وابط// ولض/، من قبل الجهات العامة، الواجب االلتزام المستمر بها،الضوابط التي وضعت الحد األدنى من متطلبات األمن السيبراني
، اس/ذا األس/ا وعلى ه/ة له/ ومكمل/ية؛/وابط األساس/داداً للض/أتي امت/تي ت/) الCSCC – 1: 2019( األمن السيبراني لألنظمة الحساسة
.لتكون أكثر مالءمة لما هو حساس من األنظمة الوطنية
Due to the increasing prevalence of such networks in the support of major infrastructure of the
country and key services within critical sectors, the identification, categorization, and protection of
these networks is of outmost importance. Although this document focuses on the protection of
National Networks at any security level, the identification of these networks and their categorization
to their appropriate level are covered by the “Network Categorization Methodology”, also issued by
NCA.
د/إن تحدي/ ف،ة/ات الحيوي/ل القطاع/ية داخ/ الرئيس/دمات/ة والخ/ية للدول/نظر ا النتشار هذه الشبكات المتزايد في دعم البنية التحتية الرئيس
ً
ة على أي//بكات الوطني// على الرغم من أن هذه الوثيقة تركز على حماية الش.هذه الشبكات وتصنيفها وحمايتها أمر في غاية األهمية
ادرة//بكة" الص//نيف الش//ة تص//ه من خالل "منهجي//ب يتم تغطيت//تواها المناس//نيفها إلى مس//بكات وتص//ذه الش//د ه//إن تحدي// ف،ني//توى أم//مس
أيضا عن
ً
.الهيئة
The NNCC was developed after conducting a comprehensive study of multiple international and
national cybersecurity frameworks and standards (e.g. US - NIST 800-53 and ISO 27002), studying
related national decisions, law, and regulatory requirements (e.g. Australia - Security of Critical
Infrastructure Act 2018), reviewing and leveraging cybersecurity best practices, and analyzing
previous cybersecurity incidents and attacks on government and other critical organizations.
يبراني/ايير األمن الس/ر ومع/د من أط/املة للعدي/ة ش/راء دراس/د إج/ بعNNCC( ( ة/بكة الوطني/تم تطوير ضوابط األمن السيبراني للش
ة ذات// رارات الوطني// ة الق// ودراس، )ISO 27002 وNIST 800-53 - دة// ات المتح// ال الوالي// بيل المث// ة (على س// ة والوطني// الدولي
ات//ل ممارس//ة أفض// ومراجع، )2018 ة//ة الحرج//ة التحتي//انون أمن البني// ق- تراليا//ل أس//ة (مث//ات التنظيمي//انون والمتطلب//لة والق//الص
. وتحليل حوادث وهجمات األمن السيبراني السابقة على الحكومة والمنظمات الحيوية األخرى، األمن السيبراني واالستفادة منها
As an extension to the ECC and CSCC, organizations are also mandated to comply with both ECC
and CSCC requirements in order to be fully compliant with the NNCC.
األهـــــــــــــــداف
As an extension to ECC, the purpose of the NNCC is to set the minimum cybersecurity requirements
for National Networks in organizations. The NNCC is constructed upon industry best practices,
comprising international and national standards, which will help operators of National Networks
enhance their cybersecurity and resilience against internal and external threats. The objective the
NNCC is therefore the following:
To provide adequate cybersecurity controls to protect the kingdom’s most important national
infrastructure
To ensure the confidentiality, integrity and availability of national network infrastructures
To protect the everyday lives of citizens and businesses that depend upon important networks
within the Kingdom
و// هNNCC( ( ة//بكة الوطني//يبراني للش//وابط األمن الس/رض من ض//إن الغ//يبراني؛ ف// لألمن الس/ية//وابط األساس/داداً للض//امت
ة// /ايير الدولي// / والمع/ات// /ل الممارس// /اء على أفض// /ة بن// /بكات الوطني// /يبراني للش// /ات األمن الس// /د األدنى من متطلب// /د الح// /تحدي
ة// /دات الداخلي// /د التهدي// /ة ض// /يبراني والمرون// /ز األمن الس// /ة على تعزي// /بكات الوطني// /غلي الش// /اعد مش// /تي ستس// /ة؛ وال// /والوطني
: هو ما يليNNCC( ( فإن الهدف من ضوابط األمن السيبراني للشبكة الوطنية، وبالتالي.والخارجية
.توفير ضوابط كافية لألمن السيبراني لحماية البنية التحتية الوطنية األكثر أهمية في المملكة
.حماية الحياة اليومية للمواطنين والشركات التي تعتمد على شبكات مهمة داخل المملكة
الشبكات الوطنيـة
The definition of ‘National Network’ recognized by the NCA, and used for the purpose of network
categorization and application of cybersecurity controls, is as follows:
هو كما، والمستخدم لغرض تصنيف الشبكة وتطبيق ضوابط األمن السيبراني،تعريف "الشبكة الوطنية " المعترف به من قبل الهيئة
:يلي
“A unique network that supports one or more dedicated services with importance for the Kingdom,
such that a compromise of the confidentiality, integrity or availability of the electronic data that is
carried by the network and its devices would cause negative economic, financial, security or social
impacts on the national level.”
وافر/المة أو ت/رية وس/ازل عن س/ؤدي التن/ بحيث ي،ة/ة للمملك/ة ذات األهمي/ المخصص/دمات/ثر من الخ/دة أو أك/دعم واح/شبكة فريدة ت
توى// على المس.ة// أو اجتماعي،ة// أو أمني،ة// أو مالي،ادية//لبية اقتص//داث س//ا إلى إح//بكة وأجهزته//ا الش//تي تحمله//ة ال//ات اإللكتروني//البيان
." الوطني
Networks have an assigned categorization level based on the key factors of the network in relation to
identified Critical National Infrastructure of the nation, such as Critical Systems and Critical Entities.
These indicators are used to determine the likely damage that a compromise of the National Network
would represent. As such, tailored cybersecurity controls are applied to networks of different levels.
ة//ة الحرج//ة الوطني//ة التحتي//ق بالبني//ا يتعل//بكة فيم//ية للش//ل الرئيس//اء على العوام/
ً /ص بن//نيف مخص//توى تص//بكات على مس//وي الش//تحت
ط/ل وس/ه ح/د يمثل/ذي ق/ل ال/رر المحتم/د الض/رات لتحدي/ذه المؤش/تخدم ه/ تُس.ة/ات الحرج/ة والكيان/ مثل األنظمة الحرج،المحددة لألمة
.خصيصا على الشبكات ذات المستويات المختلفة
ً يتم تطبيق ضوابط األمن السيبراني المصممة، على هذا النحو.للشبكة الوطنية
Low Risk National Network: This categorization level represents the lowest risk of National
Networks with some criticality of impact resulting from a compromise of the information. As
such, these networks require a minimum standard of network security controls to be applied.
There are 136 applicable controls or sub- controls assigned to level “Low”.
ة في//ع بعض األهمي//ة م//بكات الوطني//اطر الش//ل مخ//ذا أق//نيف ه//توى التص//ل مس// يمث:الش بكة الوطني ة منخفض ة المخ اطر
بكة/ان الش/وابط أم/ايير ض/د األدنى من مع/بكات الح/ذه الش/ تتطلب ه، على هذا النحو.التأثير الناتج عن اختراق المعلومات
." عنصر تحكم أو ضوابط فرعية قابلة للتطبيق تم تعيينها للمستوى "منخفض136 هناك.ليتم تطبيقها
Medium Risk National Network: This categorization level represents National Networks
with a moderate risk level due to its national relevance. As such these networks require a
moderate level of network cybersecurity controls to be applied. There are 161 applicable
controls or subcontrols assigned to level “Medium”.
الش بكة الوطني ة ذات المخ اطر المتوس طة :يمث //ل مس //توى التص //نيف ه //ذا الش //بكات الوطني //ة ذات المس //توى المتوس //ط من
المخ// /اطر بس// /بب أهميتها الوطنية .على ه// /ذا النحو ،تتطلب ه// /ذه الش// /بكات /مس// /توى معت / /داًل من ض// /وابط األمن الس// /يبراني
للشبكة ليتم تطبيقها .هناك 161عنصر تحكم أو عنصر تحكم فرعي قابل للتطبيق تم تعيينه للمستوى "متوسط".
High Risk National Networks: National Networks at this categorization level are deemed
the most critical and would cause a catastrophic or irreversible effect to the Kingdom. These
networks therefore have the highest risk and therefore require the most stringent level of
network security controls to be applied. There are 173 applicable controls or subcontrols
assigned to level “High”.
الشبكات الوطنية عالية الخطورة :الشبكات /الوطنية في ه//ذا المس/توى من التص/نيف تعت/بر األك//ثر أهمي//ة وق/د تتس/بب في
كارثة أو ال رجعة فيها على المملكة .وبالت/الي ف/إن ه/ذه الش/بكات /تنط/وي على أعلى مخ/اطر وبالت/الي تتطلب تط/بيق أك/ثر
مس// /تويات ض// /وابط أم// /ان الش// /بكة ص// /رامة .هن// /اك 173عنص// /ر تحكم أو عنص// /ر تحكم ف// /رعي قاب// /ل للتط// /بيق تم تعيين// /ه
للمستوى "عالي".
The identification and categorization of National Networks is a necessary step to be taken before the
cybersecurity measures are applied. To this end, NCA issued the “Network Categorization
Methodology”, which aims to assist network owners and operators, or government agents that audit
such networks, to identify and classify National Networks using an assessment of national relevance.
To support this effort, NCA issued the “Network Categorization Tool”.
يع //د تحدي //د الش //بكات الوطني //ة وتص //نيفها خط //وة ض //رورية يجب اتخاذه //ا قب //ل تط //بيق ت //دابير األمن الس //يبراني .تحقيقً //ا له //ذه الغاي //ة،
أصدرت الهيئة "منهجية تصنيف الشبكة " ،والتي تهدف إلى مساعدة مالكي الشبكات ومشغليها ،أو الوكالء الحكوميين الذين يقومون
بمراجع//ة ه//ذه الش//بكات ،لتحدي//د وتص//نيف الش//بكات الوطني//ة باس//تخدام تق//ييم الص//لة الوطني//ة .ل//دعم ه//ذا الجه//د ،أص//درت الهيئ//ة "أداة
تصنيف الشبكة".
The cybersecurity controls outlined in this document are applicable to networks deemed of low,
medium or high “national relevance” 2 by the organizations who own or operate these networks in the
Kingdom of Saudi Arabia, including:
طة أو//ة أو متوس//ة" منخفض//لة وطني//بر ذات "ص//تي تعت//بكات ال//ة على الش//ذه الوثيق//حة في ه//يبراني الموض//وابط األمن الس//ق ض//تنطب
: بما في ذلك، في المملكة العربية السعودية/عالية من قبل المنظمات التي تمتلك أو تشغل هذه الشبكات
د//ايير تحدي//توفون مع//ا أنهم يس//ة) طالم//روع الدولي//فارات أو الف//ون الس//ذين يربط//ك ال//ل أولئ//ة (مث// الدولي/بكات//دمو الش//مق
.الهوية
Any other operators of networks that meet the criteria to be considered National Networks.
. وطنية/ التي تستوفي المعايير التي يجب اعتبارها شبكات/أي مشغلين آخرين للشبكات
These controls have been developed after taking into consideration the cybersecurity needs of
organizations and sectors which operate with National Networks in the Kingdom of Saudi Arabia. In
this regard, such organizations must comply with all applicable controls within this document in
accordance with their categorization level, unless otherwise stated.
ة/بكات الوطني//ع الش//ل م/تي تعم/ات ال//تم تطوير هذه الضوابط بعد األخذ بعين االعتبار احتياجات األمن السيبراني للمنظمات والقطاع
ا//ًتند وفق//ذا المس//ا في ه//ول به//وابط المعم//ع الض//ات لجمي//ذه المنظم//ل ه// يجب أن تمتث،دد//ذا الص// في ه.عودية//ة الس//ة العربي//في المملك
. ما لم ينص على خالف ذلك،لمستوى التصنيف الخاص بها
2
In accordance with the “Network Categorisation Methodology”.
التنفيذ واالمتثالـ
To comply with item 3 of article 10 of NCA’s mandate and as per the Royal Decree number 57231
dated 10/11/1439H, all organizations within the scope of these controls must implement whatever
necessary to ensure continuous compliance with the controls.
تنفي//ذاً لم//ا ورد في الفق//رة الثالث//ة من الم//ادة العاش//رة في تنظيم الهيئ//ة الوطني//ة لألمن الس//يبراني ووفقً//ا للمرس//وم الس//امي الك//ريم رقم
57231بت //اريخ 10/11/1439هـ ،يجب على جمي //ع المؤسس //ات /في نط //اق ه //ذه الض //وابط تنفي //ذ ك //ل م //ا ه //و ض //روري لض //مان
االمتثال المستمر للضوابط.
NCA evaluates organizations’ compliance with the NNCC through multiple means such as self-
assessments by the organizations, periodic reports of the Assessment and Compliance Tool or on-site
audits.
تق//وم الهيئ//ة بتق//ييم امتث//ال المنظم//ات لـضوابط األمن الس//يبراني للش//بكة الوطني//ة ( ( NNCCمن خالل وس//ائل متع//ددة مث//ل التقييم//ات
الذاتية من قبل المنظمات /والتقارير الدورية الخاصة بأداة التقييم واالمتثال أو عمليات التدقيق في الموقع.
Compliance with ECC – 1: 2018 and CSCC – 1: 2019 are mandatory pre-requisites for organizations
owning or operating National Networks, regardless of their network category (low, medium, or high).
يعد االمتثال لـ ECC - 1: 2018و CSCC - 1: 2019متطلبات مسبقة إلزامية للمؤسسات التي تمتلــك أو تــدير شــبكات
وطنية ،بغض النظر عن فئة شبكاتها (منخفضة أو متوسطة أو عالية).
NCA has issued a tool (NNCC – 1: 2021 Assessment and Compliance Tool) to organize the process
of evaluation and compliance measurement against the NNCC. Further details on the utilization of the
Tool are provided in the “Assessment and Compliance Tool User Manual”.
أصدرت الهيئة أداة ( NNCC - 1: 2021أداة التقييم واالمتثال) لتنظيم عملية التقييم وقياس االمتثال ضد ضوابط األمن الس//يبراني
للشبكة الوطنية ( ( . NNCCيتم توفير مزيد من التفاصيل حول استخدام األداة في "دليل مستخدم أداة التقييم واالمتثال".
التحـديث والمراجعـة
NCA will periodically review and update the NNCC as existing controls may become outdated and
new ones, e.g. regarding emerging technologies and new trends, may need to be incorporated. NCA
will communicate and publish the updated version of NNCC for implementation and compliance.
ستقوم الهيئة بمراجعة وتحديث ضوابط األمن السيبراني للشبكة الوطنية ( ( NNCCبشكل دوري حيث قد تصبح الض//وابط الحالي//ة
قديمة وجديدة ،على سبيل المثال فيما يتعلق بالتقنيات الناشئة واالتجاهات الجديدة ،قد تحت/اج إلى دمجه/ا /.س//تقوم الهيئ//ة ب/إبالغ ونش/ر
اإلصدار المحدث /من ضوابط األمن السيبراني للشبكة الوطنية ( ( NNCCللتنفيذ واالمتثال.
The NNCC controls are comprised of multiple domains and subdomains, which are given in Figure 1,
below.
Subdomains Domains
Cybersecurity Policies and
1-2 Cybersecurity Strategy 1-1
Procedures
Cybersecurity Risk Cybersecurity Roles and
1-4 1-3
Management Responsibilities
Cybersecurity in
Periodical Cybersecurity Information and Cybersecurity 1
1-6 1-5
Review and Audit Technology Project Governance
Management
Cybersecurity Awareness and Cybersecurity in Human
1-8 1-7
Training Program Resources
Cybersecurity in Cybersecurity in Change
1-10 1-9
Configuration Management Management
Identity and Access
2-2 Asset Management 2-1
Management
Information System and
Networks Security
2-4 Information Processing 2-3
Management
Facilities Protection
Data and Information
2-6 Mobile Devices Security 2-5
Protection
Backup and Recovery
2-8 Cryptography 2-7
Management
Vulnerabilities Cybersecurity Defense 2
Penetration Testing 2-10 2-9
Management
Cybersecurity Event Logs
Cybersecurity Incident and
2-12 and Monitoring 2-11
Threat Management
Management
Transmission Media
2-14 Physical Security 2-13
Cybersecurity
Subdomains Domains
Cybersecurity
Notation
NNCC - 1 : 2021
Version No.
Year of Issuance
National Networks Cybersecurity Controls
Further, controls within the document also have a unique identifier as given in Figure 3.
2 - 4 - 1 - 5
Subcontrol No.
Subdomain No.
Figure 3. NNCC Main Domain, Subdomain, Main Control and Subcontrol Structure
Structure
Domains, subdomains, and controls within this document are structured as per Table 1.
Objective
Controls Level
Applicable
Control Reference Number Control Clauses
level
In addition to the notation and structure provided in the sections above, the green colored numbers
(e.g. 1-3-2) refer to subdomains or controls of the ECC – 1: 2018 or CSCC – 1: 2019.
1 Cybersecurity Governance
1. Cybersecurity Governance
To ensure that cybersecurity plans, goals, initiatives, and projects are contributing to the
Objective cybersecurity of the national network and compliance with related laws and regulations, and
organizational requirements.
Controls Level
Controls Level
With reference to ECC control 1-3-1, when new versions of policies and
procedures related to the national network are published, the versions that have
1-2-1 All
been disseminated to beneficiaries/clients and any other third parties must be
updated accordingly.
To ensure that roles and responsibilities are defined and implemented for all parties accessing
Objective the national network information and technology assets, as per organizational policies and
procedures, and related laws and regulations.
Controls Level
1-3-1 With reference to the ECC control 1-4-1, the following cybersecurity
requirements for cybersecurity roles and responsibilities must include, at a
minimum, the following:
Controls Level
With reference to ECC control 1-5-2, a risk mitigating action plan must be
developed, documented, approved and executed as the result of the
1-4-2 All
implementation of the risk assessment procedures, and its implementation
status reviewed at least once every three months.
To ensure that cybersecurity requirements and procedures are included in system information
development and deployment in order to protect the confidentiality, integrity and availability
Objective
of the national network information and technology assets as per organization policies and
procedures, and related laws and regulations.
Controls Level
In addition to the subcontrols in ECC control 1-6-2 and ECC control 1-6-3,
cybersecurity requirements for information system development and
deployment must include, at a minimum, the following:
1-5-1-3 Threat modelling must be performed and incorporated in the first High
To ensure that applicable cybersecurity controls to the national network information and
Objective technology assets are implemented and in compliance with organizational policies and
procedures, as well as related national and international laws, regulations and agreements.
Controls Level
With reference to ECC control 1-8-1 and CSCC control 1-4-1, the compliance
and effectiveness of the cybersecurity controls implemented in the national
network must be assessed by the cybersecurity function at least according to all
of the following triggers:
With reference to ECC control 1-8-2 and CSCC control 1-4-2, the compliance
and effectiveness of the cybersecurity controls implemented in the national
All
network must be reviewed by independent third parties within the organization
at least with the following frequency:
1-6-2-1
Once a year
After a change of the network categorization; Medium,
Prior to significant changes in the network mission and services High
1-6-2 provided; or
Upon changes to related laws and regulations
1-6-2-2
Once every three years;
After a change of the network categorization;
Low
Prior to significant changes in the network mission and services
provided; or
Upon changes to related laws and regulations.
To ensure that cybersecurity risks and requirements related to personnel (personnel and
contractors) accessing the national network information and technology assets are managed
Objective
efficiently prior to employment, during employment and after termination/separation as per
organizational policies and procedures, and related laws and regulations.
Controls Level
To ensure that personnel are aware of their cybersecurity responsibilities, have the essential
cybersecurity awareness and required cybersecurity training, skills and credentials needed to
Objective
accomplish their cybersecurity responsibilities to protect the national network information and
technology assets.
Controls Level
To ensure that changes to the national network technology assets are properly controlled,
Objective registered and managed, as per organizational policies and procedures, and related laws and
regulations.
Controls Level
In addition to the subcontrols in ECC control 1-6-2 and ECC control 1-6-3, the
cybersecurity requirements within national network change management
lifecycle must include, at a minimum, the following:
1-9-3 The cybersecurity requirements within national network change management All
lifecycle must be reviewed at least:
Annually;
After a change of the network categorization;
Prior to significant changes in the network mission and services
provided; or
To ensure that the components and configurations of the national network technology assets
Objective are identified, controlled, registered and managed, as per organizational policies and
procedures, and related laws and regulations.
Controls Level
2 Cybersecurity Defense
2. Cybersecurity Defense
To ensure that national network information and technology assets are identified and inventoried
Objective in order to assign adequate protection against loss of availability, confidentiality and integrity,
as per organization policies and procedures, and related laws and regulations.
Controls Level
With reference to ECC controls 2-1-3 and 2-1-4, cybersecurity requirements for
acceptable use policy of information and technology assets must include, at a
minimum, the following:
2-1-2 2-1-2-1 All personnel with access to data and devices must sign a copy of
All
the acceptable use policy during the on-boarding process.
To ensure that logical access to the national network information and technology assets is
Objective restricted to authorized users on a need-to-know basis, and to prevent unauthorized access, as
per organization policies and procedures, and related laws and regulations.
Controls Level
2-2-1-2 All system and device management logins must generate a log
All
entry and an alert.
2-2-1-3 The user account, including regular and privileged accounts, must
All
be blocked after several consecutive failed attempts.
2-2-1-4 All personnel must be assigned a unique user ID. The sharing of
All
such user ID with other personnel must be strictly prohibited.
2-2-1-5 Technical personnel must use different user IDs and devices for
2-2-1 All
day-to-day tasks than the privilege systems administration
accounts and devices.
2-2-1-7 User access rights requests must be registered, whether they are
provided or not, and must be provided through a formal process
All
involving the prior approval or the information system owner or
designed individual at least.
Objective To ensure the protection of the technology assets processing and storing information of the
national network (including network devices, servers, workstations and end-user devices)
Controls Level
2-3-1-3 Input and output physical ports, such as Universal Serial Bus
All
(USB), that are unnecessary must be disabled.
2-3-2-1 The national network systems and devices must synchronize the
internal clocks using at least two accurate and trusted sources, one
All
of them in a different geographic region than the primary
authoritative time source.
2-3-2
2-3-2-2 The use of Network Time Security (NTS) extension must be
All
considered to secure NTP, when technically available.
To ensure that the transmission of national network information and access to it through
Objective
network media is protected against cyber risks.
Controls Level
To ensure the protection of national network information managed and stored on mobile devices
Objective
(smartphones, tablets and PDAs).
Controls Level
2-5-1-1 With reference to CSCC subcontrol 2-5-1-1 and ECC control 2-6-
3, use of mobile devices to access the national network must be
restricted by default, provided based on business needs, and All
assessed and managed with risk management procedures, in line
with the risk tolerance policy.
2-5-1 2-5-1-4 With reference to CSCC subcontrol 2-5-1-2, mobile devices must
implement storage encryption, access control systems, protection All
against brute-force attacks and malware protection.
To ensure that national network information is identified, classified, marked, and managed in a
Objective secure manner, in accordance as per organizational policies and procedures, and related laws
and regulations.
Controls Level
2-7 Cryptography
To ensure the adequate and efficient use of encryption mechanisms to protect the national
Objective network information in-transit and in-rest as per organizational policies and procedures, and
related laws and regulations.
Controls Level
2-7-2-1 The private keys of root and issuing certificates of the national
All
network must be stored on a hardware security module (HSM).
2-7-2-2 The root and issuing certificates must not be stored on isolated
devices not connected to the Internet or any connecting third All
party.
2-7-2-3 Private keys and certificates must be rotated periodically at least All
every two years.
2-7-3 Only secure versions of Transport Layer Security (TLS) must be used. All
To ensure the protection of the national network information against accidental or intentional
Objective
loss as per organizational policies and procedures, and related laws and regulations.
Controls Level
2-8-1-3 With reference to CSCC subcontrol 2-8-1-2 and ECC control 2-9-
3, backup and recovery tasks must be monitored and controlled,
and performed using updated, “state-of-the-art”, automated tools All
well-suited for the technology environment of the national
network.
2-8-1
2-8-1-4 With reference to CSCC subcontrol 2-8-1-2, data backup
frequency must be aligned with organization data loss tolerance
requirements, cybersecurity requirements of the information being
All
backed up, industry best practices, recommendations and
guidelines established by the NCA, or requirements from the
National Data Management Office, if applicable.
To ensure the timely and effective detection and remediation of technical vulnerabilities to
Objective
prevent their exploitation by malicious third parties.
Controls Level
Controls Level
2-10-1 2-10-1-2 With reference to ECC subcontrol 2-11-3-2, grey box penetration
All
tests must be performed at least annually.
To ensure timely collection, analysis and monitoring of cybersecurity events of the national
Objective network technology assets for early detection of potential cyber-attacks, operational failures and
suspicious activity.
Controls Level
To ensure the effective and timely identification, detection, response and management of
potential cyber incidents to prevent or minimize the negative effects on the national network
Objective
information and technology assets, taking into account the Royal Decree No. 37140 of
14/8/1438H.
Controls Level
To ensure the protection of the national network information and technology assets from
Objective
unauthorized physical access, loss, theft and damage.
Controls Level
2-13-1-5 MFA must be used to access sensitive areas within the Medium,
organization such as rooms with data transmission equipment. High
2-13-1-6 Cell phones, cameras and recording devices must be prohibited Medium,
from entering the offices and sensitive areas of the organization. High
To ensure the protection of national network information when it is transmitted through physical
Objective
media against loss of availability, confidentiality, and integrity.
Controls Level
2-14-2 The cybersecurity requirements for national network transmission media must
include, at a minimum, the following:
2-14-2-2 Fiber optic cabling must be prioritized over copper cabling in new
All
facilities or modifications of current facilities.
2-14-2-3 Wall cabling must not be used on walls bordering the exterior, an
untrusted organization or separating rooms belonging to networks All
of different category levels.
2-14-2-7 Cables and wall outlet boxes must use a cable color pattern that
Medium,
allows one to distinguish the classification of the information
High
transmitted or accessed.
2-14-2-10 Conduits carrying cables, wall outlet boxes and cables must be
Medium,
properly labelled with the appropriate level of security for
High
inspection and maintenance.
2-14-2-11 High-level category cables shall use individual and dedicated High
cabinets.
To ensure a secure connection of the national network at connection points with other networks,
Objective internal or external to the organization, to protect information against loss of availability,
confidentiality, and integrity.
Controls Level
2-15-2-4 The gateway must be the only communication path in and out of
the network and must fail securely in the event of an operational All
failure.
2-15-2-7 The gateway must alert in real time of any potential cybersecurity
All
incidents.
To ensure that the national network information flow between the national network devices is
Objective
protected against cyber risks.
Controls Level
2-16-1 2-16-1-1 Network devices must implement the latest version of the
All
standard of the routing protocol being used.
2-16-1-2 Routing Information Protocol (RIP) version 1 must not be used. All
2-16-3-1 Router interfaces must be passive by default and only those All
necessary must be explicitly activated.
2-16-3-2 General traffic directed to the routers must be filtered and All
2-16-3 restricted only to that necessary.
2-16-3-4 Time To Live (TTL) security check must be enabled for routing All
updates in OSPF and BGP.
To ensure that the naming system used to access the resources provided by the national network
Objective
are protected against cyber risks.
Controls Level
2-17-3 With reference to ECC subcontrol 2-5-3-7, cybersecurity requirements for the
service security of DNS must include, at a minimum, the following
2-17-3-2 DNS must implement access control lists (ACLs) and transaction
signatures (TSIGs) and restrict zone transfers and malicious All
information gathering.
2-17-3-3 Primary DNS servers must be used exclusively to serve the All
3 Cybersecurity Resilience
3. Cybersecurity Resilience
To guarantee the continuity and resilience of the national network, the services it provides and
Objective
the business processes it supports in the event of disaster scenarios.
Controls Level
3-1-1-4 The main risks and potential disaster scenarios with serious
All
impact on the organization must be identified and managed.
4 Third-Party Cybersecurity
4. Third-Party Cybersecurity
To ensure protection of information and technology assets of the national network against risks
Objective arising from contracting with third parties, including the supply chain, outsourcing and managed
services, as per organizational policies and procedures and related laws and regulations.
Controls Level
4-1-1-5 With reference to ECC subcontrol 4-1-2-3, the third party must
provide assurance of compliance with related NCA regulations All
and entity cybersecurity requirements.
4-1-2-1 The third party must inform the organization immediately in the
event of a cybersecurity incident potentially affecting the service
4-1-2
(even when that has not been fully determined), identify key All
stakeholders, investigate the incident, and execute remediation
plans.
4-1-2-2 The third party must regularly inform of compliance with contract
All
terms and agreements.
Appendices
This appendix gives a breakdown of applicability of all controls against the most common network
elements and factors. It should be noted that a National Network is composed of multiple physical and
abstract elements including:
People (the technical and non-technical staff that support the network either directly or
indirectly),
Locations (where infrastructure is installed), Third parties connecting to the network (e.g.
service providers),
End-user devices (required to perform technical and non-technical tasks),
A LAN network with supporting infrastructure (for instance, the local network where the
users connect will need to have a LDAP directory, data storage systems, repositories for
documentation and logs, etc.),
A WAN network (the infrastructure that transmits the data of the network between the
clients).
The NNCC has been designed to cover all of these elements. However, for the sake of clarity
surrounding the technological aspects of the network, the following breakdown is used:
Network Type
LAN (Local Area Network): A local area network is a collection of computers and peripheral
devices interconnected in one physical location and is comprised of cables, access points,
switches, routers, and other components that enable devices to connect to internal servers,
web servers, and other LANs. LAN includes technologies such as: Copper, Fiber, Coaxial,
Ethernet, ARP, IP, TCP/UDP, DHCP, 100BaseT/100BaseTX, 10BaseT (UTP), 1000BaseT.
WAN (Wide Area Network): A wide area network is a geographically distributed
telecommunications network that interconnects devices from multiple locations. WANs use
various interconnection links without establishing ties to a physical location. WAN includes
technologies such as: Fiber, MPLS, Frame relay, SDLC, HDLC, ISDN, SD-WAN, X.25.
Wireless: When referring to networks, wireless is the technology that allows data connections
to be established between two or more network nodes via radio waves and without relying on
physical connections. Wireless includes technologies such as: WLAN, WPA2, 802.1X/EAP,
TKIP, CCMP, Access point, WIMAX, FHSS, DSSS, OFDM.
Applicability is given in the table below:
Table 2. NNCC Applicability by Network Element
Network Element
Control Subcontrol LAN WAN Wireless
1-1-1
✓ ✓ ✓
Network Element
Control Subcontrol LAN WAN Wireless
1-1-2
✓ ✓ ✓
1-2-1
✓ ✓ ✓
1-3-1
1-3-1-1
✓ ✓ ✓
1-3-1-2
✓ ✓ ✓
1-3-2
✓ ✓ ✓
1-4-1
✓ ✓ ✓
1-4-2
✓ ✓ ✓
1-5-1
1-5-1-1
✓ ✓ ✓
1-5-1-2
✓ ✓ ✓
1-5-1-3
✓ ✓ ✓
1-6-1
✓ ✓ ✓
1-6-2
1-6-2-1
✓ ✓ ✓
1-6-2-2
✓ ✓ ✓
1-7-1
✓ ✓ ✓
1-8-1
✓ ✓ ✓
1-9-1
✓ ✓ ✓
1-9-2
1-9-2-1
✓ ✓ ✓
Network Element
Control Subcontrol LAN WAN Wireless
1-9-2-2
✓ ✓ ✓
1-9-2-3
✓ ✓ ✓
1-9-2-4
✓ ✓ ✓
1-9-3
✓ ✓ ✓
1-10-1
✓ ✓ ✓
1-10-2
1-10-2-1
✓ ✓ ✓
1-10-2-2
✓ ✓ ✓
1-10-2-3
✓ ✓ ✓
1-10-2-4
✓ ✓ ✓
1-10-2-5
✓ ✓ ✓
1-10-3
✓ ✓ ✓
2-1-1
2-1-1-1
✓ ✓ ✓
2-1-1-2
✓ ✓ ✓
2-1-1-3
✓ ✓ ✓
2-1-1-4
✓ ✓ ✓
2-1-2
2-1-2-1
✓ ✓ ✓
2-1-2-2
✓ ✓ ✓
2-1-3
Network Element
Control Subcontrol LAN WAN Wireless
2-1-3-1
✓ ✓ ✓
2-1-3-2
✓ ✓ ✓
2-1-3-3
✓ ✓ ✓
2-1-3-4
✓ ✓ ✓
2-2-1
2-2-1-1
✓ X X
2-2-1-2
✓ ✓ ✓
2-2-1-3
✓ X X
2-2-1-4
✓ X X
2-2-1-5
✓ ✓ ✓
2-2-1-6
✓ ✓ ✓
2-2-1-7
✓ ✓ ✓
2-2-1-8
✓ X X
2-3-1
2-3-1-1
✓ ✓ ✓
2-3-1-2
✓ X X
2-3-1-3
✓ X X
2-3-1-4
✓ ✓ ✓
2-3-1-5
✓ ✓ ✓
2-3-1-6
✓ ✓ ✓
2-3-1-7
✓ ✓ ✓
Network Element
Control Subcontrol LAN WAN Wireless
2-3-2
2-3-2-1
✓ ✓ ✓
2-3-2-2
✓ ✓ ✓
2-3-2-3
✓ ✓ ✓
2-3-2-4
NBED NBED NBED
2-4-1
2-4-1-1
✓ X X
2-4-1-2
✓ X X
2-4-1-3
✓ ✓ ✓
2-4-1-4
✓ ✓ ✓
2-4-1-5
NBED NBED NBED
2-4-2
2-4-2-1
✓ X X
2-4-2-2
✓ X X
2-4-2-3
✓ X X
2-4-2-4
✓ X X
2-4-3
2-4-3-1
✓ X X
2-4-3-2
✓ X X
2-4-3-3
✓ X X
2-4-3-4
✓ X X
Network Element
Control Subcontrol LAN WAN Wireless
2-4-4
NBED NBED NBED
2-4-5
2-4-5-1
X X ✓
2-4-5-2
X X ✓
2-4-5-3
X X ✓
2-4-5-4
X X ✓
2-4-5-5
X X ✓
2-4-5-6
X X ✓
2-4-5-7
X X ✓
2-4-5-8
X X ✓
2-5-1
2-5-1-1
✓ X X
2-5-1-2
✓ X X
2-5-1-3
✓ X X
2-5-1-4
✓ X X
2-5-1-5
✓ X X
2-5-1-6
✓ X X
2-5-1-7
✓ X X
2-5-1-8
✓ X X
2-6-1
2-6-1-1
✓ ✓ ✓
Network Element
Control Subcontrol LAN WAN Wireless
2-6-1-2
✓ X X
2-6-1-3
✓ ✓ ✓
2-6-1-4
✓ X X
2-7-1
2-7-1-1
✓ ✓ ✓
2-7-1-2
✓ ✓ ✓
2-7-2
2-7-2-1
✓ ✓ ✓
2-7-2-2
✓ ✓ ✓
2-7-2-3
NBED NBED NBED
2-7-2-4
NBED NBED NBED
2-7-3
NBED NBED NBED
2-7-4
NBED NBED NBED
2-8-1
2-8-1-1
✓ X X
2-8-1-2
✓ X X
2-8-1-3
✓ X X
2-8-1-4
✓ X X
2-8-1-5
✓ X X
2-8-1-6
✓ X X
2-9-1
Network Element
Control Subcontrol LAN WAN Wireless
2-9-1-1
✓ ✓ ✓
2-9-1-2
✓ ✓ ✓
2-9-1-3
✓ ✓ ✓
2-9-1-4
✓ ✓ ✓
2-9-1-5
✓ ✓ ✓
2-10-1
2-10-1-1
✓ ✓ ✓
2-10-1-2
✓ ✓ ✓
2-10-1-3
✓ ✓ ✓
2-10-1-4
✓ ✓ ✓
2-11-1
2-11-1-1
✓ ✓ ✓
2-11-1-2
✓ ✓ ✓
2-11-1-3
✓ ✓ ✓
2-11-1-4
✓ ✓ ✓
2-11-1-5
✓ ✓ ✓
2-12-1
2-12-1-1
✓ ✓ ✓
2-12-1-2
✓ ✓ ✓
2-12-1-3
✓ ✓ ✓
2-12-1-4
✓ ✓ ✓
Network Element
Control Subcontrol LAN WAN Wireless
2-12-1-5
✓ ✓ ✓
2-12-1-6
✓ ✓ ✓
2-13-1
2-13-1-1
✓ ✓ ✓
2-13-1-2
✓ ✓ ✓
2-13-1-3
✓ ✓ ✓
2-13-1-4
✓ ✓ ✓
2-13-1-5
✓ ✓ ✓
2-13-1-6
✓ ✓ ✓
2-13-1-7
✓ ✓ ✓
2-13-1-8
✓ ✓ ✓
2-13-1-9
✓ X X
2-13-1-10
✓ ✓ ✓
2-13-1-11
✓ ✓ ✓
2-14-1
✓ ✓ ✓
2-14-2
2-14-2-1
✓ ✓ ✓
2-14-2-2
X ✓ X
2-14-2-3
✓ ✓ ✓
2-14-2-4
✓ ✓ ✓
2-14-2-5
✓ ✓ ✓
Network Element
Control Subcontrol LAN WAN Wireless
2-14-2-6
X ✓ X
2-14-2-7
X ✓ X
2-14-2-8
✓ ✓ ✓
2-14-2-9
✓ ✓ ✓
2-14-2-10
✓ ✓ ✓
2-14-2-11
X ✓ X
2-14-2-12
X ✓ X
2-14-3
✓ ✓ ✓
2-15-1
✓ ✓ ✓
2-15-2
2-15-2-1
✓ ✓ ✓
2-15-2-2
X ✓ X
2-15-2-3
X ✓ X
2-15-2-4
X ✓ X
2-15-2-5
X ✓ X
2-15-2-6
X ✓ X
2-15-2-7
X ✓ X
2-15-2-8
X ✓ X
2-15-2-9
X ✓ X
2-15-2-10
X ✓ X
2-15-3
✓ ✓ ✓
Network Element
Control Subcontrol LAN WAN Wireless
2-16-1
2-16-1-1
NBED NBED NBED
2-16-1-2
NBED NBED NBED
2-16-1-3
NBED NBED NBED
2-16-2
2-16-2-1
NBED NBED NBED
2-16-2-2
NBED NBED NBED
2-16-2-3
NBED NBED NBED
2-16-2-4
NBED NBED NBED
2-16-3
2-16-3-2
NBED NBED NBED
2-16-3-2
NBED NBED NBED
2-16-3-3
NBED NBED NBED
2-16-3-4
NBED NBED NBED
2-17-1
2-17-1-1
NBED NBED NBED
2-17-1-2
NBED NBED NBED
2-17-2
2-17-2-1
NBED NBED NBED
2-17-2-2
NBED NBED NBED
2-17-3
Network Element
Control Subcontrol LAN WAN Wireless
2-17-3-2
NBED NBED NBED
2-17-3-2
NBED NBED NBED
2-17-3-3
NBED NBED NBED
2-17-3-4
NBED NBED NBED
3-1-1
3-1-1-1
✓ ✓ ✓
3-1-1-2
✓ ✓ ✓
3-1-1-3
✓ ✓ ✓
3-1-1-4
✓ ✓ ✓
3-1-1-5
X ✓ X
3-1-1-6
X ✓ X
3-1-1-7
X ✓ X
3-1-1-8
X ✓ X
3-1-1-9
X ✓ X
3-1-1-10
✓ ✓ ✓
4-1-1
4-1-1-1
✓ ✓ ✓
4-1-1-2
✓ ✓ ✓
4-1-1-3
✓ ✓ ✓
4-1-1-4
✓ ✓ ✓
4-1-1-5
✓ ✓ ✓
Network Element
Control Subcontrol LAN WAN Wireless
4-1-2
4-1-2-1
✓ ✓ ✓
4-1-2-2
✓ ✓ ✓
4-1-3
✓ ✓ ✓
This appendix gives a breakdown of applicability of all controls against the most common network
natures. The following breakdown is used:
Open / Closed
Open: This refers to a network that has access to other networks, for example via general
internet access, and is therefore accessible from outside of its own network limits.
Closed: This refers to a network that is isolated from external access through other networks,
including via general internet access, and is therefore considered to be closed.
Applicability is given in the table below:
Table 3. NNCC Applicability by Network Nature
Network Nature
Control Subcontrol Open Closed
1-1-1
✓ ✓
1-1-2
✓ ✓
1-2-1
✓ ✓
1-3-1
1-3-1-1
✓ ✓
1-3-1-2
✓ ✓
1-3-2
✓ ✓
1-4-1
✓ ✓
1-4-2
✓ ✓
1-5-1
1-5-1-1
✓ ✓
1-5-1-2
✓ ✓
1-5-1-3
✓ ✓
1-6-1
✓ ✓
Network Nature
Control Subcontrol Open Closed
1-6-2
1-6-2-1
✓ ✓
1-6-2-2
✓ ✓
1-7-1
✓ ✓
1-8-1
✓ ✓
1-9-1
✓ ✓
1-9-2
1-9-2-1
✓ ✓
1-9-2-2
✓ ✓
1-9-2-3
✓ ✓
1-9-2-4
✓ ✓
1-9-3
✓ ✓
1-10-1
✓ ✓
1-10-2
1-10-2-1
✓ ✓
1-10-2-2
✓ ✓
1-10-2-3
✓ ✓
1-10-2-4
✓ ✓
1-10-2-5
✓ ✓
1-10-3
✓ ✓
2-1-1
Network Nature
Control Subcontrol Open Closed
2-1-1-1
✓ ✓
2-1-1-2
✓ ✓
2-1-1-3
✓ ✓
2-1-1-4
✓ ✓
2-1-2
2-1-2-1
✓ ✓
2-1-2-2
✓ ✓
2-1-3
2-1-3-1
✓ ✓
2-1-3-2
✓ ✓
2-1-3-3
✓ ✓
2-1-3-4
✓ ✓
2-2-1
2-2-1-1
✓ ✓
2-2-1-2
✓ ✓
2-2-1-3
✓ ✓
2-2-1-4
✓ ✓
2-2-1-5
✓ ✓
2-2-1-6
✓ ✓
2-2-1-7
✓ ✓
2-2-1-8
✓ ✓
Network Nature
Control Subcontrol Open Closed
2-3-1
2-3-1-1
✓ ✓
2-3-1-2
✓ ✓
2-3-1-3
✓ ✓
2-3-1-4
✓ ✓
2-3-1-5
✓ ✓
2-3-1-6
✓ ✓
2-3-1-7
✓ ✓
2-3-2
2-3-2-1
✓ ✓
2-3-2-2
✓ ✓
2-3-2-3
✓ ✓
2-3-2-4
NBED NBED
2-4-1
2-4-1-1
✓ ✓
2-4-1-2
✓ ✓
2-4-1-3
✓ ✓
2-4-1-4
✓ ✓
2-4-1-5
NBED NBED
2-4-2
2-4-2-1
✓ X
Network Nature
Control Subcontrol Open Closed
2-4-2-2
✓ X
2-4-2-3
✓ X
2-4-2-4
✓ X
2-4-3
2-4-3-1
✓ ✓
2-4-3-2
✓ ✓
2-4-3-3
✓ ✓
2-4-3-4
✓ ✓
2-4-4
NBED NBED
2-4-5
2-4-5-1
✓ X
2-4-5-2
✓ X
2-4-5-3
✓ X
2-4-5-4
✓ X
2-4-5-5
✓ X
2-4-5-6
✓ X
2-4-5-7
✓ X
2-4-5-8
✓ X
2-5-1
2-5-1-1
✓ X
2-5-1-2
✓ X
Network Nature
Control Subcontrol Open Closed
2-5-1-3
✓ X
2-5-1-4
✓ X
2-5-1-5
✓ X
2-5-1-6
✓ X
2-5-1-7
✓ X
2-5-1-8
✓ X
2-6-1
2-6-1-1
✓ ✓
2-6-1-2
✓ ✓
2-6-1-3
✓ ✓
2-6-1-4
✓ ✓
2-7-1
2-7-1-1
✓ ✓
2-7-1-2
✓ ✓
2-7-2
2-7-2-1
✓ ✓
2-7-2-2
✓ ✓
2-7-2-3
NBED NBED
2-7-2-4
NBED NBED
2-7-3
NBED NBED
2-7-4
NBED NBED
Network Nature
Control Subcontrol Open Closed
2-8-1
2-8-1-1
✓ ✓
2-8-1-2
✓ ✓
2-8-1-3
✓ ✓
2-8-1-4
✓ ✓
2-8-1-5
✓ ✓
2-8-1-6
✓ ✓
2-9-1
2-9-1-1
✓ ✓
2-9-1-2
✓ ✓
2-9-1-3
✓ ✓
2-9-1-4
✓ ✓
2-9-1-5
✓ ✓
2-10-1
2-10-1-1
✓ ✓
2-10-1-2
✓ ✓
2-10-1-3
✓ ✓
2-10-1-4
✓ ✓
2-11-1
2-11-1-1
✓ ✓
2-11-1-2
✓ ✓
Network Nature
Control Subcontrol Open Closed
2-11-1-3
✓ ✓
2-11-1-4
✓ ✓
2-11-1-5
✓ ✓
2-12-1
2-12-1-1
✓ ✓
2-12-1-2
✓ ✓
2-12-1-3
✓ ✓
2-12-1-4
✓ ✓
2-12-1-5
✓ ✓
2-12-1-6
✓ ✓
2-13-1
2-13-1-1
✓ ✓
2-13-1-2
✓ ✓
2-13-1-3
✓ ✓
2-13-1-4
✓ ✓
2-13-1-5
✓ ✓
2-13-1-6
✓ ✓
2-13-1-7
✓ ✓
2-13-1-8
✓ ✓
2-13-1-9
✓ ✓
2-13-1-10
✓ ✓
Network Nature
Control Subcontrol Open Closed
2-13-1-11
✓ ✓
2-14-1
✓ ✓
2-14-2
2-14-2-1
✓ ✓
2-14-2-2
✓ ✓
2-14-2-3
✓ ✓
2-14-2-4
✓ ✓
2-14-2-5
✓ ✓
2-14-2-6
✓ ✓
2-14-2-7
✓ ✓
2-14-2-8
✓ ✓
2-14-2-9
✓ ✓
2-14-2-10
✓ ✓
2-14-2-11
✓ ✓
2-14-2-12
✓ ✓
2-14-3
✓ ✓
2-15-1
✓ ✓
2-15-2
2-15-2-1
✓ ✓
2-15-2-2
✓ ✓
2-15-2-3
✓ ✓
Network Nature
Control Subcontrol Open Closed
2-15-2-4
✓ ✓
2-15-2-5
✓ ✓
2-15-2-6
✓ ✓
2-15-2-7
✓ ✓
2-15-2-8
✓ ✓
2-15-2-9
✓ ✓
2-15-2-10
✓ ✓
2-15-3
✓ ✓
2-16-1
2-16-1-1
NBED NBED
2-16-1-2
NBED NBED
2-16-1-3
NBED NBED
2-16-2
2-16-2-1
NBED NBED
2-16-2-2
NBED NBED
2-16-2-3
NBED NBED
2-16-2-4
NBED NBED
2-16-3
2-16-3-2
NBED NBED
2-16-3-2
NBED NBED
2-16-3-3
NBED NBED
Network Nature
Control Subcontrol Open Closed
2-16-3-4
NBED NBED
2-17-1
2-17-1-1
NBED NBED
2-17-1-2
NBED NBED
2-17-2
2-17-2-1
NBED NBED
2-17-2-2
NBED NBED
2-17-3
2-17-3-2
NBED NBED
2-17-3-2
NBED NBED
2-17-3-3
NBED NBED
2-17-3-4
NBED NBED
3-1-1
3-1-1-1
✓ ✓
3-1-1-2
✓ ✓
3-1-1-3
✓ ✓
3-1-1-4
✓ ✓
3-1-1-5
✓ ✓
3-1-1-6
✓ ✓
3-1-1-7
✓ ✓
3-1-1-8
✓ ✓
Network Nature
Control Subcontrol Open Closed
3-1-1-9
✓ ✓
3-1-1-10
✓ ✓
4-1-1
4-1-1-1
✓ ✓
4-1-1-2
✓ ✓
4-1-1-3
✓ ✓
4-1-1-4
✓ ✓
4-1-1-5
✓ ✓
4-1-2
4-1-2-1
✓ ✓
4-1-2-2
✓ ✓
4-1-3
✓ ✓
Terminology Definition
Black Box Penetration Testing is a method of software testing that examines the
Black Box functionality of an application without peering into its internal structures or
Penetration Testing workings. This method of test can be applied virtually to every level of software
testing: unit, integration, system and acceptance.
The maximum amount of data loss, measured in time, that is acceptable to business
Data Loss Tolerance
requirements.
An intermediate system (interface, relay) that attaches to two (or more) computer
Gateway networks that have similar functions but dissimilar implementations and that enables
either one-way or two-way communication between the networks.
In a grey box penetration test, also known as a translucent box test, only limited
information is shared with the tester. Usually this takes the form of login credentials.
Grey Box Grey box testing is useful to help understand the level of access a privileged user
Penetration Testing could gain and the potential damage they could cause. Grey box tests strike a balance
between depth and efficiency and can be used to simulate either an insider threat or
an attack that has breached the network perimeter.
A discrete set of information resources organized for the collection, processing,
Information System
maintenance, use, sharing, dissemination, or disposition of information.
Physical Penetration Testing is a simulated intrusion attempt that is designed to
Physical Penetration identify weaknesses in an entity’s physical security. This is different from other
Testing types of penetration testing as the target is not a cyber one, instead, it is the physical
location.
Rules of Engagement (RoE) is a document that deals with the manner in which the
Rules of penetration test is to be conducted. Some of the directives that should be clearly
Engagement spelled out in RoE before an organization start the penetration test could be the type
and scope of testing, IT team notifications, and sensitive data handling measures.