Workstream 2 - NNCC Control Document - Arabic-V1.0

‫مـقـيــــد‬
‫ضوابط األمن السيرباين للشبكة الوطنية (‪)NNCC‬‬

‫)‪(NNCC – 1: 2021‬‬
‫إشـ ـ ـ ــار ــة املشارـ ـ ــكة‪ :‬أب ـيــض‬

‫ت ـص ـن ـيــف الـ ـوـثـ ـيـ ـق ــة‪ :‬مـتـ ـ ـاــح‬
‫مقيد – داخلي‬
Disclaimer: The following controls will be governed by and implemented in

accordance with the laws of the Kingdom of Saudi Arabia, and must be subject
to the exclusive jurisdiction of the courts of the Kingdom of Saudi Arabia.
Therefore, the Arabic version will be the binding language for all matters
relating to the meaning or interpretation of this document.
‫ب ـ ـ ـسـ ــم اهلل الرمحن الرحيم‬
‫مـقــيــد‬
‫ضوابط األمن السيبراني للشبكاتـ الوطنية‬ ‫إشـــــــارة المشاركة‪ :‬أبــيــض‬
‫بروتوكول اإلشارة الضوئية ‪)TLP(:‬‬
‫تم إنشاء نظام بروتوكول اإلشارة الضوئية لمشاركة أكبر قدر من المعلومات ويستخدم على نطاق واسع حول العالم‪.‬‬
‫وهناك أربعة ألوان (إشارات ضوئية)‪:‬‬
‫أحمر – شخصي وسري للمستلم فقط‬
‫المستلم ال يحق له مشاركة المصنف باإلشارة الحمراء مع أي فرد سواء من داخل او خارج المنشأة خارج النطاق المحدد‬
‫لالستالم‪.‬‬
‫برتقالي – مشاركة محدودة‬
‫المستلم باإلشارة البرتقالية يمكنه مشاركة المعلومات في نفس المنشأة مع األشخاص المعنيين فقط‪ ،‬ومن يتطلب األمر منه اتخاذ إجراء‬
‫يخص المعلومة‪.‬‬
‫أخضر – مشاركة مع نفس المجتمع‬
‫حيــث يمكنــك مشــاركتها مــع آخريــن مــن منشــأتك أو منشــأة أخــرى علــى عالقة معكــم أو بنفس القطاع‪ ،‬وال يسمح‬
‫بتبادلها أو نشرها من خالل القنوات العامة‪.‬‬
‫أبـــيــض – غير محدود‬
‫‪ 4‬تصنيف الوثيقة‪ :‬متاح‬


‫ضوابط األمن السيبراني للشبكاتـ الوطنية‬ ‫ أبــيــض‬:‫إشـــــــارة المشاركة‬
Table of Contents
Executive Summary...............................................................................................................................7
Introduction...........................................................................................................................................8
Objectives..............................................................................................................................................9
National Networks...............................................................................................................................10
Definition of National Networks.....................................................................................................10
Network Categorization Methodology.............................................................................................10
Scope of Work and Applicability........................................................................................................11
NNCC Scope of Work.....................................................................................................................11
NNCC Statement of Applicability...................................................................................................11
Implementation and compliance..........................................................................................................12
Update and Review..............................................................................................................................12
NNCC Domains and Structure............................................................................................................13
Domains and subdomains................................................................................................................13
Notation...........................................................................................................................................15
Structure..........................................................................................................................................16
The National Networks Cybersecurity Controls..................................................................................17
1. Cybersecurity Governance...................................................................................................17
2. Cybersecurity Defense.........................................................................................................23
3. Cybersecurity Resilience.....................................................................................................40
4. Third-Party Cybersecurity....................................................................................................42
Appendices..........................................................................................................................................43
Appendix (A): Applicability of controls to network elements.........................................................43
Appendix (B): Applicability of controls to network nature..............................................................51
Appendix (C): List of Abbreviations...............................................................................................58
Appendix (D): Terms and Definitions.............................................................................................59
List of Tables
Table 1. NNCC Methodological Structure for a Domain.......................................................................................
Table 2. NNCC Applicability by Network Element...............................................................................................
Table 2. NNCC Applicability by Network Nature.................................................................................................
‫ متاح‬:‫ تصنيف الوثيقة‬6

List of Figures
Figure 1. NNCC Main Domains and Subdomains.................................................................................................
Figure 2. NNCC Control Document Coding Scheme............................................................................................
Figure 3. NNCC Main Domain, Subdomain, Main Control and Subcontrol Structure..........................................

‫الملخص التنفيــــذي‬
The Kingdom of Saudi Arabia is fast becoming a regional leader in digital society, following a
continuous and rapid digital transformation, borne out of the Kingdom’s Vision 2030 strategy.
Citizens are benefitting from increased digitalization of services and greater access to the connected
world, and local business and government alike are increasing their capabilities through the adoption
of emerging technologies. Essential to this ongoing transformation is a secure and well-functioning
national IT infrastructure that supports the flow of data between various stakeholders in a smooth and
dependable manner.
‫ نتج عن‬،‫ريع‬// /‫تمر وس‬// /‫ول رقمي مس‬// /‫د تح‬// /‫ بع‬،‫رقمي‬// /‫ع ال‬// /‫ة في المجتم‬// /‫دة إقليمي‬// /‫عودية رائ‬// /‫ة الس‬// /‫ة العربي‬// /‫بحت المملك‬// /‫أص‬
‫ول إلى‬//‫ادة الوص‬//‫دمات وزي‬//‫ة الخ‬//‫ادة رقمن‬//‫ون من زي‬//‫تفيد المواطن‬//‫ يس‬.2030 ‫عودية‬//‫ة الس‬//‫ة العربي‬//‫ة المملك‬//‫تراتيجية رؤي‬//‫اس‬
.‫ئة‬/‫ات الناش‬/‫اد التقني‬/‫ وتعمل الشركات المحلية والحكومة على حد سواء على زيادة قدراتهم من خالل اعتم‬،‫العالم المتصل‬
‫ات‬/‫دفق البيان‬/‫دعم ت‬/‫ات ت‬/‫ة المعلوم‬/‫دة األداء لتقني‬/‫ة وجي‬/‫ة آمن‬/‫ة وطني‬/‫ة تحتي‬/‫ود بني‬/‫تمر وج‬/‫ول المس‬/‫ذا التح‬/‫روري له‬/‫ومن الض‬
.‫بين مختلف الجهات المعنية بطريقة سلسة ويمكن االعتماد عليها‬
It has been the role of the National Cybersecurity Authority (NCA), since its establishment on
11/2/1439H to ensure that the digital ecosystem of the Kingdom is secured through appropriate
cybersecurity policies, mechanisms, frameworks, standards, controls, and guidelines and also through
a continuous monitoring of the compliance of organizations.
‫ هـ ضمان تأمين النظام البيئي الرقمي للمملكة‬1439/2/11 ‫) منذ إنشائها في‬NCA( ‫لقد كان دور الهيئة الوطنية لألمن السيبراني‬
‫ أيضا من خالل المراقبة المستمرة‬.‫من خالل سياسات وآليات وأطر ومعايير وضوابط وإ رشادات األمن السيبراني المناسبة‬
.‫لتطبيقها من قبل الجهات‬
NCA’s mandate states that its responsibility for cybersecurity does not absolve any public, private or
other organization from its own cybersecurity responsibilities. To this end, NCA developed the
National Networks Cybersecurity Controls (NNCC – 1: 2021). As an extension to the Essential
Cybersecurity Controls (ECC – 1: 2018) and Critical Systems Cybersecurity Controls (CSCC – 1:
2019), this document focuses on nationally relevant networks, termed ‘National Networks’, whose
compromise would result in negative economic, financial, security or social impacts on the national
level1. Nonetheless, due to the different degrees of national relevance of such networks, they can be
further categorized into three security levels (Low, Medium, and High), for which tailored
cybersecurity controls are applied.
‫ة أو‬// / ‫ة عام‬// /‫يبراني ال تعفي أي مؤسس‬// /‫ؤوليتها عن األمن الس‬// /‫ على أن مس‬NCA ‫يبراني‬// / ‫ة لألمن الس‬// / ‫ة الوطني‬// /‫ات الهيئ‬// /‫تنص تنظيم‬
‫بكات‬/‫يبراني للش‬/‫وابط األمن الس‬/‫ ض‬NCA ‫ورت‬/‫ ط‬،‫ة‬/‫ذه الغاي‬/‫ا له‬/‫ تحقيق‬.‫يبراني‬/‫األمن الس‬/‫ة ب‬/‫ؤولياتها الخاص‬/‫ا من مس‬/‫خاصة أو غيره‬
‫يبراني‬// ‫وابط األمن الس‬// ‫) وض‬ECC - 1: 2018 ( ‫ية‬// ‫يبراني األساس‬// ‫وابط األمن الس‬// ‫داد لض‬// ‫ كامت‬.)NNCC- 1: 2021( ‫ة‬// ‫الوطني‬
`` ‫ا‬/‫ق عليه‬/‫تي يطل‬/‫ وال‬،‫ني‬/‫عيد الوط‬/‫لة على الص‬/‫ تركز هذه الوثيقة على الشبكات ذات الص‬،)CSCC - 1: 2019( ‫لألنظمة الحرجة‬
‫ة أو‬//‫ة أو األمني‬//‫ار المالي‬//‫ اآلث‬،) negative economic (‫لبي‬//‫اد الس‬//‫ط إلى االقتص‬//‫ا الوس‬//‫ؤدي حله‬//‫د ي‬//‫تي ق‬//‫ وال‬،‘' ‫ة‬//‫بكات الوطني‬//‫الش‬
1
The full criteria for National Networks can be found in the “Network Categorisation Methodology” document.

‫االجتماعي‪//‬ة على المس‪//‬توى الوط‪//‬ني‪ .‬وم‪//‬ع ذل‪//‬ك‪ ،‬نظ‪/ً /‬را الختالف درج‪//‬ات األهمي‪//‬ة الوطني‪//‬ة له‪//‬ذه الش‪//‬بكات‪ ،‬يمكن تص‪//‬نيفها بش‪//‬كل أك‪//‬بر‬
‫إلى ثالثة مستويات أمان (منخفضة ومتوسطة وعالية)‪ ،‬والتي تُطبق عليها ضوابط مخصصة لألمن السيبراني‪.‬‬
‫‪The NNCC was developed taking into consideration international and national frameworks and‬‬
‫‪standards that were deemed best practice. As such, the NNCC consists of the following:‬‬
‫‪‬‬ ‫‪4 Cybersecurity Domains‬‬
‫‪‬‬ ‫‪29 Cybersecurity Subdomains‬‬
‫‪‬‬ ‫‪55 Cybersecurity Main Controls‬‬
‫‪‬‬ ‫‪179 Cybersecurity Subcontrols‬‬
‫تم تط ‪//‬وير ‪ NNCC‬م ‪//‬ع األخ ‪//‬ذ في االعتب ‪//‬ار أفض ‪//‬ل الممارس ‪//‬ات واألط ‪//‬ر والمع ‪//‬ايير الدولي ‪//‬ة والوطني ‪//‬ة‪ .‬وبن ‪//‬اء على ذل ‪//‬ك‪،‬‬
‫تتكون ‪ NNCC‬مما يلي‪:‬‬
‫)‬ ‫‪ 4‬مكونات أساسية لضوابط األمن السيبراني( ‪Cybersecurity Domains 4‬‬ ‫‪‬‬
‫‪ 29‬مكونات فرعية لضوابط األمن السيبراني( ‪) Cybersecurity Subdomains 29‬‬ ‫‪‬‬
‫أساسيا لألمن السيبراني ( ‪) Cybersecurity Main Controls 55‬‬

‫ً‬ ‫طا‬
‫‪ 55‬ضاب ً‬ ‫‪‬‬
‫فرعيا لألمن السيبراني( ‪) Cybersecurity Sub controls 179‬‬

‫ً‬ ‫طا‬
‫‪ 179‬ضاب ً‬ ‫‪‬‬
‫‪To ensure the continuous compliance by organizations, NCA issued the Assessment and Compliance‬‬
‫‪Tool (NNCC – 1: 2021 Assessment and Compliance Tool). Nonetheless, in order to be fully‬‬
‫‪compliant with these controls, organizations are mandated to comply with ECC and other applicable‬‬
‫‪controls.‬‬
‫لض‪//‬مان االمتث‪//‬ال المس‪//‬تمر من قب‪//‬ل الجه‪//‬ات‪ /،‬أص‪//‬درت الهيئ‪//‬ة الوطني‪//‬ة لألمن الس‪//‬يبراني ‪ NCA‬أداة التق‪//‬ييم واالمتث‪//‬ال ( ‪NNCC - 1:‬‬
‫‪ 2021‬أداة التق‪// /‬ييم واالمتث‪// /‬ال)‪ .‬وم‪// /‬ع ذل‪// /‬ك‪ ،‬من أج‪// /‬ل االمتث‪// /‬ال الكام‪// /‬ل له‪// /‬ذه الض‪// /‬وابط‪ ،‬يتم تكلي‪// /‬ف المؤسس‪// /‬ات باالمتث‪// /‬ال لـ ‪ECC‬‬
‫والضوابط األخرى المعمول بها‪.‬‬

‫المــقـــدمــة‬
The National Networks Cybersecurity Controls (NNCC – 1: 2021) was created by the National
Cybersecurity Authority (hereinafter, the “NCA”) to provide adequate cybersecurity coverage for
National Networks. The controls act as an extension to both the Essential Cybersecurity Controls
(ECC – 1: 2018), which includes the minimum cybersecurity requirements for information and
technology assets in organizations, and the Critical Systems Cybersecurity Controls (CSCC – 1:
2019), which includes an additional layer of cybersecurity coverage for Critical Systems within the
Kingdom.
( ‫ة‬/‫ة الوطني‬/‫يبراني لألنظم‬/‫وابط األمن الس‬/‫دار ض‬/‫ة)؛ بإص‬/‫ة بـ (الهيئ‬/‫قامت الهيئة الوطنية لألمن السيبراني ويشار لها في هذه الوثيق‬
‫) وهي‬ECC – 1: 2018 ( ‫ حيث جاء تطوير هذه الوثيقة المتضمنة للضوابط األساسية لألمن السيبراني‬، )NNCC – 1: 2021
‫وابط‬//‫ ولض‬/،‫ من قبل الجهات العامة‬،‫ الواجب االلتزام المستمر بها‬،‫الضوابط التي وضعت الحد األدنى من متطلبات األمن السيبراني‬
، ‫اس‬/‫ذا األس‬/‫ا وعلى ه‬/‫ة له‬/‫ ومكمل‬/‫ية؛‬/‫وابط األساس‬/‫داداً للض‬/‫أتي امت‬/‫تي ت‬/‫) ال‬CSCC – 1: 2019( ‫األمن السيبراني لألنظمة الحساسة‬
.‫لتكون أكثر مالءمة لما هو حساس من األنظمة الوطنية‬
Due to the increasing prevalence of such networks in the support of major infrastructure of the
country and key services within critical sectors, the identification, categorization, and protection of
these networks is of outmost importance. Although this document focuses on the protection of
National Networks at any security level, the identification of these networks and their categorization
to their appropriate level are covered by the “Network Categorization Methodology”, also issued by
NCA.
‫د‬/‫إن تحدي‬/‫ ف‬،‫ة‬/‫ات الحيوي‬/‫ل القطاع‬/‫ية داخ‬/‫ الرئيس‬/‫دمات‬/‫ة والخ‬/‫ية للدول‬/‫نظر ا النتشار هذه الشبكات المتزايد في دعم البنية التحتية الرئيس‬
ً
‫ة على أي‬//‫بكات الوطني‬//‫ على الرغم من أن هذه الوثيقة تركز على حماية الش‬.‫هذه الشبكات وتصنيفها وحمايتها أمر في غاية األهمية‬
‫ادرة‬//‫بكة" الص‬//‫نيف الش‬//‫ة تص‬//‫ه من خالل "منهجي‬//‫ب يتم تغطيت‬//‫تواها المناس‬//‫نيفها إلى مس‬//‫بكات وتص‬//‫ذه الش‬//‫د ه‬//‫إن تحدي‬//‫ ف‬،‫ني‬//‫توى أم‬//‫مس‬
‫أيضا عن‬
ً
.‫الهيئة‬
The NNCC was developed after conducting a comprehensive study of multiple international and
national cybersecurity frameworks and standards (e.g. US - NIST 800-53 and ISO 27002), studying
related national decisions, law, and regulatory requirements (e.g. Australia - Security of Critical
Infrastructure Act 2018), reviewing and leveraging cybersecurity best practices, and analyzing
previous cybersecurity incidents and attacks on government and other critical organizations.
‫يبراني‬/‫ايير األمن الس‬/‫ر ومع‬/‫د من أط‬/‫املة للعدي‬/‫ة ش‬/‫راء دراس‬/‫د إج‬/‫ بع‬NNCC( ( ‫ة‬/‫بكة الوطني‬/‫تم تطوير ضوابط األمن السيبراني للش‬
‫ة ذات‬// ‫رارات الوطني‬// ‫ة الق‬// ‫ ودراس‬، )ISO 27002 ‫ و‬NIST 800-53 - ‫دة‬// ‫ات المتح‬// ‫ال الوالي‬// ‫بيل المث‬// ‫ة (على س‬// ‫ة والوطني‬// ‫الدولي‬
‫ات‬//‫ل ممارس‬//‫ة أفض‬//‫ ومراجع‬، )2018 ‫ة‬//‫ة الحرج‬//‫ة التحتي‬//‫انون أمن البني‬//‫ ق‬- ‫تراليا‬//‫ل أس‬//‫ة (مث‬//‫ات التنظيمي‬//‫انون والمتطلب‬//‫لة والق‬//‫الص‬
.‫ وتحليل حوادث وهجمات األمن السيبراني السابقة على الحكومة والمنظمات الحيوية األخرى‬، ‫األمن السيبراني واالستفادة منها‬
As an extension to the ECC and CSCC, organizations are also mandated to comply with both ECC
and CSCC requirements in order to be fully compliant with the NNCC.

‫أيضا باالمتثال لمتطلبات ك‪//‬ل من اـلضوابط‬

‫كامتداد لـلضوابط األساسية‪ /‬لألمن السيبراني (‪ )ECC‬و ‪ ، CSCC‬يتم تكليف المنظمات‪ً /‬‬
‫تمام‪/‬ا م‪//‬ع ض‪//‬وابط األمن الس‪//‬يبراني للش‪//‬بكة الوطني‪//‬ة ( (‬
‫األساس‪//‬ية‪ /‬لألمن الس‪//‬يبراني( ‪ )ECC‬و ‪ CSCC‬من أج‪//‬ل أن تك‪//‬ون متوافق‪//‬ة ً‪/‬‬
‫‪.NNCC‬‬

‫األهـــــــــــــــداف‬
As an extension to ECC, the purpose of the NNCC is to set the minimum cybersecurity requirements
for National Networks in organizations. The NNCC is constructed upon industry best practices,
comprising international and national standards, which will help operators of National Networks
enhance their cybersecurity and resilience against internal and external threats. The objective the
NNCC is therefore the following:
 To provide adequate cybersecurity controls to protect the kingdom’s most important national
infrastructure
 To ensure the confidentiality, integrity and availability of national network infrastructures
 To protect the everyday lives of citizens and businesses that depend upon important networks
within the Kingdom
‫و‬//‫ ه‬NNCC( ( ‫ة‬//‫بكة الوطني‬//‫يبراني للش‬//‫وابط األمن الس‬/‫رض من ض‬//‫إن الغ‬//‫يبراني؛ ف‬//‫ لألمن الس‬/‫ية‬//‫وابط األساس‬/‫داداً للض‬//‫امت‬
‫ة‬// /‫ايير الدولي‬// /‫ والمع‬/‫ات‬// /‫ل الممارس‬// /‫اء على أفض‬// /‫ة بن‬// /‫بكات الوطني‬// /‫يبراني للش‬// /‫ات األمن الس‬// /‫د األدنى من متطلب‬// /‫د الح‬// /‫تحدي‬
‫ة‬// /‫دات الداخلي‬// /‫د التهدي‬// /‫ة ض‬// /‫يبراني والمرون‬// /‫ز األمن الس‬// /‫ة على تعزي‬// /‫بكات الوطني‬// /‫غلي الش‬// /‫اعد مش‬// /‫تي ستس‬// /‫ة؛ وال‬// /‫والوطني‬
:‫ هو ما يلي‬NNCC( ( ‫ فإن الهدف من ضوابط األمن السيبراني للشبكة الوطنية‬،‫ وبالتالي‬.‫والخارجية‬
.‫توفير ضوابط كافية لألمن السيبراني لحماية البنية التحتية الوطنية األكثر أهمية في المملكة‬ 
.‫ الوطنية‬/‫ضمان سرية وسالمة وتوافر البنى التحتية للشبكات‬ 
.‫حماية الحياة اليومية للمواطنين والشركات التي تعتمد على شبكات مهمة داخل المملكة‬ 

‫الشبكات الوطنيـة‬
‫تعريــف الشبكات الوطنيـة‬
The definition of ‘National Network’ recognized by the NCA, and used for the purpose of network
categorization and application of cybersecurity controls, is as follows:
‫ هو كما‬،‫ والمستخدم لغرض تصنيف الشبكة وتطبيق ضوابط األمن السيبراني‬،‫تعريف "الشبكة الوطنية " المعترف به من قبل الهيئة‬
:‫يلي‬
“A unique network that supports one or more dedicated services with importance for the Kingdom,
such that a compromise of the confidentiality, integrity or availability of the electronic data that is
carried by the network and its devices would cause negative economic, financial, security or social
impacts on the national level.”
‫وافر‬/‫المة أو ت‬/‫رية وس‬/‫ازل عن س‬/‫ؤدي التن‬/‫ بحيث ي‬،‫ة‬/‫ة للمملك‬/‫ة ذات األهمي‬/‫ المخصص‬/‫دمات‬/‫ثر من الخ‬/‫دة أو أك‬/‫دعم واح‬/‫شبكة فريدة ت‬
‫توى‬//‫ على المس‬.‫ة‬//‫ أو اجتماعي‬،‫ة‬//‫ أو أمني‬،‫ة‬//‫ أو مالي‬،‫ادية‬//‫لبية اقتص‬//‫داث س‬//‫ا إلى إح‬//‫بكة وأجهزته‬//‫ا الش‬//‫تي تحمله‬//‫ة ال‬//‫ات اإللكتروني‬//‫البيان‬
." ‫الوطني‬
Networks have an assigned categorization level based on the key factors of the network in relation to
identified Critical National Infrastructure of the nation, such as Critical Systems and Critical Entities.
These indicators are used to determine the likely damage that a compromise of the National Network
would represent. As such, tailored cybersecurity controls are applied to networks of different levels.
‫ة‬//‫ة الحرج‬//‫ة الوطني‬//‫ة التحتي‬//‫ق بالبني‬//‫ا يتعل‬//‫بكة فيم‬//‫ية للش‬//‫ل الرئيس‬//‫اء على العوام‬/
ً /‫ص بن‬//‫نيف مخص‬//‫توى تص‬//‫بكات على مس‬//‫وي الش‬//‫تحت‬
‫ط‬/‫ل وس‬/‫ه ح‬/‫د يمثل‬/‫ذي ق‬/‫ل ال‬/‫رر المحتم‬/‫د الض‬/‫رات لتحدي‬/‫ذه المؤش‬/‫تخدم ه‬/‫ تُس‬.‫ة‬/‫ات الحرج‬/‫ة والكيان‬/‫ مثل األنظمة الحرج‬،‫المحددة لألمة‬
.‫خصيصا على الشبكات ذات المستويات المختلفة‬
ً ‫ يتم تطبيق ضوابط األمن السيبراني المصممة‬،‫ على هذا النحو‬.‫للشبكة الوطنية‬
These levels are presented below:
:‫يتم عرض هذه المستويات أدناه‬
 Low Risk National Network: This categorization level represents the lowest risk of National
Networks with some criticality of impact resulting from a compromise of the information. As
such, these networks require a minimum standard of network security controls to be applied.
There are 136 applicable controls or subcontrols assigned to level “Low”.
‫ة في‬//‫ع بعض األهمي‬//‫ة م‬//‫بكات الوطني‬//‫اطر الش‬//‫ل مخ‬//‫ذا أق‬//‫نيف ه‬//‫توى التص‬//‫ل مس‬//‫ يمث‬:‫الش بكة الوطني ة منخفض ة المخ اطر‬ 
‫بكة‬/‫ان الش‬/‫وابط أم‬/‫ايير ض‬/‫د األدنى من مع‬/‫بكات الح‬/‫ذه الش‬/‫ تتطلب ه‬،‫ على هذا النحو‬.‫التأثير الناتج عن اختراق المعلومات‬
."‫ عنصر تحكم أو ضوابط فرعية قابلة للتطبيق تم تعيينها للمستوى "منخفض‬136 ‫ هناك‬.‫ليتم تطبيقها‬
 Medium Risk National Network: This categorization level represents National Networks
with a moderate risk level due to its national relevance. As such these networks require a
moderate level of network cybersecurity controls to be applied. There are 161 applicable
controls or subcontrols assigned to level “Medium”.

‫الش بكة الوطني ة ذات المخ اطر المتوس طة‪ :‬يمث ‪//‬ل مس ‪//‬توى التص ‪//‬نيف ه ‪//‬ذا الش ‪//‬بكات الوطني ‪//‬ة ذات المس ‪//‬توى المتوس ‪//‬ط من‬ ‫‪‬‬
‫المخ‪// /‬اطر بس‪// /‬بب أهميتها الوطنية‪ .‬على ه‪// /‬ذا النحو‪ ،‬تتطلب ه‪// /‬ذه الش‪// /‬بكات‪ /‬مس‪// /‬توى معت ‪/ /‬داًل من ض‪// /‬وابط األمن الس‪// /‬يبراني‬
‫للشبكة ليتم تطبيقها‪ .‬هناك ‪ 161‬عنصر تحكم أو عنصر تحكم فرعي قابل للتطبيق تم تعيينه للمستوى "متوسط"‪.‬‬
‫‪‬‬ ‫‪High Risk National Networks: National Networks at this categorization level are deemed‬‬
‫‪the most critical and would cause a catastrophic or irreversible effect to the Kingdom. These‬‬
‫‪networks therefore have the highest risk and therefore require the most stringent level of‬‬
‫‪network security controls to be applied. There are 173 applicable controls or subcontrols‬‬
‫‪assigned to level “High”.‬‬
‫الشبكات الوطنية عالية الخطورة‪ :‬الشبكات‪ /‬الوطنية في ه‪//‬ذا المس‪/‬توى من التص‪/‬نيف تعت‪/‬بر األك‪//‬ثر أهمي‪//‬ة وق‪/‬د تتس‪/‬بب في‬ ‫‪‬‬
‫كارثة أو ال رجعة فيها على المملكة‪ .‬وبالت‪/‬الي ف‪/‬إن ه‪/‬ذه الش‪/‬بكات‪ /‬تنط‪/‬وي على أعلى مخ‪/‬اطر وبالت‪/‬الي تتطلب تط‪/‬بيق أك‪/‬ثر‬
‫مس‪// /‬تويات ض‪// /‬وابط أم‪// /‬ان الش‪// /‬بكة ص‪// /‬رامة‪ .‬هن‪// /‬اك ‪ 173‬عنص‪// /‬ر تحكم أو عنص‪// /‬ر تحكم ف‪// /‬رعي قاب‪// /‬ل للتط‪// /‬بيق تم تعيين‪// /‬ه‬
‫للمستوى "عالي"‪.‬‬
‫‪Network Categorization Methodology‬‬
‫منهجية تصنيف الشبكة‬
‫‪The identification and categorization of National Networks is a necessary step to be taken before the‬‬
‫‪cybersecurity measures are applied. To this end, NCA issued the “Network Categorization‬‬
‫‪Methodology”, which aims to assist network owners and operators, or government agents that audit‬‬
‫‪such networks, to identify and classify National Networks using an assessment of national relevance.‬‬
‫‪To support this effort, NCA issued the “Network Categorization Tool”.‬‬
‫يع ‪//‬د تحدي ‪//‬د الش ‪//‬بكات الوطني ‪//‬ة وتص ‪//‬نيفها خط ‪//‬وة ض ‪//‬رورية يجب اتخاذه ‪//‬ا قب ‪//‬ل تط ‪//‬بيق ت ‪//‬دابير األمن الس ‪//‬يبراني‪ .‬تحقيقً ‪//‬ا له ‪//‬ذه الغاي ‪//‬ة‪،‬‬
‫أصدرت الهيئة "منهجية تصنيف الشبكة "‪ ،‬والتي تهدف إلى مساعدة مالكي الشبكات ومشغليها‪ ،‬أو الوكالء الحكوميين الذين يقومون‬
‫بمراجع‪//‬ة ه‪//‬ذه الش‪//‬بكات‪ ،‬لتحدي‪//‬د وتص‪//‬نيف الش‪//‬بكات الوطني‪//‬ة باس‪//‬تخدام تق‪//‬ييم الص‪//‬لة الوطني‪//‬ة‪ .‬ل‪//‬دعم ه‪//‬ذا الجه‪//‬د‪ ،‬أص‪//‬درت الهيئ‪//‬ة "أداة‬
‫تصنيف الشبكة"‪.‬‬

Scope of Work and Applicability

‫نطاق العمل وقابلية التطبيق‬
NNCC ‫نطاق العمل‬
The cybersecurity controls outlined in this document are applicable to networks deemed of low,
medium or high “national relevance” 2 by the organizations who own or operate these networks in the
Kingdom of Saudi Arabia, including:
‫طة أو‬//‫ة أو متوس‬//‫ة" منخفض‬//‫لة وطني‬//‫بر ذات "ص‬//‫تي تعت‬//‫بكات ال‬//‫ة على الش‬//‫ذه الوثيق‬//‫حة في ه‬//‫يبراني الموض‬//‫وابط األمن الس‬//‫ق ض‬//‫تنطب‬
:‫ بما في ذلك‬،‫ في المملكة العربية السعودية‬/‫عالية من قبل المنظمات التي تمتلك أو تشغل هذه الشبكات‬
 Government entities operating National Networks.
.‫ الوطنية‬/‫ الحكومية المشغلة للشبكات‬/‫الجهات‬ 
 Private organizations operating National Networks
‫ الخاصة التي تدير الشبكات الوطنية‬/‫المنظمات‬ 
 Providers of international network (e.g. those connecting embassies or international branches)

so long as they meet the identification criteria.
‫د‬//‫ايير تحدي‬//‫توفون مع‬//‫ا أنهم يس‬//‫ة) طالم‬//‫روع الدولي‬//‫فارات أو الف‬//‫ون الس‬//‫ذين يربط‬//‫ك ال‬//‫ل أولئ‬//‫ة (مث‬//‫ الدولي‬/‫بكات‬//‫دمو الش‬//‫مق‬ 
.‫الهوية‬
 Any other operators of networks that meet the criteria to be considered National Networks.
.‫ وطنية‬/‫ التي تستوفي المعايير التي يجب اعتبارها شبكات‬/‫أي مشغلين آخرين للشبكات‬ 
NNCC ‫بيان قابلية التطبيق‬
These controls have been developed after taking into consideration the cybersecurity needs of
organizations and sectors which operate with National Networks in the Kingdom of Saudi Arabia. In
this regard, such organizations must comply with all applicable controls within this document in
accordance with their categorization level, unless otherwise stated.
‫ة‬/‫بكات الوطني‬//‫ع الش‬//‫ل م‬/‫تي تعم‬/‫ات ال‬//‫تم تطوير هذه الضوابط بعد األخذ بعين االعتبار احتياجات األمن السيبراني للمنظمات والقطاع‬
‫ا‬//ً‫تند وفق‬//‫ذا المس‬//‫ا في ه‬//‫ول به‬//‫وابط المعم‬//‫ع الض‬//‫ات لجمي‬//‫ذه المنظم‬//‫ل ه‬//‫ يجب أن تمتث‬،‫دد‬//‫ذا الص‬//‫ في ه‬.‫عودية‬//‫ة الس‬//‫ة العربي‬//‫في المملك‬
.‫ ما لم ينص على خالف ذلك‬،‫لمستوى التصنيف الخاص بها‬
2
In accordance with the “Network Categorisation Methodology”.

‫التنفيذ واالمتثالـ‬
‫‪To comply with item 3 of article 10 of NCA’s mandate and as per the Royal Decree number 57231‬‬
‫‪dated 10/11/1439H, all organizations within the scope of these controls must implement whatever‬‬
‫‪necessary to ensure continuous compliance with the controls.‬‬
‫تنفي‪//‬ذاً لم‪//‬ا ورد في الفق‪//‬رة الثالث‪//‬ة من الم‪//‬ادة العاش‪//‬رة في تنظيم الهيئ‪//‬ة الوطني‪//‬ة لألمن الس‪//‬يبراني ووفقً‪//‬ا للمرس‪//‬وم الس‪//‬امي الك‪//‬ريم رقم‬
‫‪ 57231‬بت ‪//‬اريخ ‪ 10/11/1439‬هـ‪ ،‬يجب على جمي ‪//‬ع المؤسس ‪//‬ات‪ /‬في نط ‪//‬اق ه ‪//‬ذه الض ‪//‬وابط تنفي ‪//‬ذ ك ‪//‬ل م ‪//‬ا ه ‪//‬و ض ‪//‬روري لض ‪//‬مان‬
‫االمتثال المستمر للضوابط‪.‬‬
‫‪NCA evaluates organizations’ compliance with the NNCC through multiple means such as self-‬‬
‫‪assessments by the organizations, periodic reports of the Assessment and Compliance Tool or on-site‬‬
‫‪audits.‬‬
‫تق‪//‬وم الهيئ‪//‬ة بتق‪//‬ييم امتث‪//‬ال المنظم‪//‬ات لـضوابط األمن الس‪//‬يبراني للش‪//‬بكة الوطني‪//‬ة ( (‪ NNCC‬من خالل وس‪//‬ائل متع‪//‬ددة مث‪//‬ل التقييم‪//‬ات‬
‫الذاتية من قبل المنظمات‪ /‬والتقارير الدورية الخاصة بأداة التقييم واالمتثال أو عمليات التدقيق في الموقع‪.‬‬
‫‪Compliance with ECC – 1: 2018 and CSCC – 1: 2019 are mandatory pre-requisites for organizations‬‬
‫‪owning or operating National Networks, regardless of their network category (low, medium, or high).‬‬
‫يعد االمتثال لـ ‪ ECC - 1: 2018‬و ‪ CSCC - 1: 2019‬متطلبات مسبقة إلزامية للمؤسسات التي تمتلــك أو تــدير شــبكات‬
‫وطنية‪ ،‬بغض النظر عن فئة شبكاتها (منخفضة أو متوسطة أو عالية)‪.‬‬
‫أداة التقييم واالمتثال‬
‫‪NCA has issued a tool (NNCC – 1: 2021 Assessment and Compliance Tool) to organize the process‬‬
‫‪of evaluation and compliance measurement against the NNCC. Further details on the utilization of the‬‬
‫‪Tool are provided in the “Assessment and Compliance Tool User Manual”.‬‬
‫أصدرت الهيئة أداة (‪ NNCC - 1: 2021‬أداة التقييم واالمتثال) لتنظيم عملية التقييم وقياس االمتثال ضد ضوابط األمن الس‪//‬يبراني‬
‫للشبكة الوطنية ( (‪ . NNCC‬يتم توفير مزيد من التفاصيل حول استخدام األداة في "دليل مستخدم أداة التقييم واالمتثال"‪.‬‬
‫التحـديث والمراجعـة‬
‫‪NCA will periodically review and update the NNCC as existing controls may become outdated and‬‬
‫‪new ones, e.g. regarding emerging technologies and new trends, may need to be incorporated. NCA‬‬
‫‪will communicate and publish the updated version of NNCC for implementation and compliance.‬‬
‫ستقوم الهيئة بمراجعة وتحديث ضوابط األمن السيبراني للشبكة الوطنية ( (‪ NNCC‬بشكل دوري حيث قد تصبح الض‪//‬وابط الحالي‪//‬ة‬
‫قديمة وجديدة‪ ،‬على سبيل المثال فيما يتعلق بالتقنيات الناشئة واالتجاهات الجديدة‪ ،‬قد تحت‪/‬اج إلى دمجه‪/‬ا‪ /.‬س‪//‬تقوم الهيئ‪//‬ة ب‪/‬إبالغ ونش‪/‬ر‬
‫اإلصدار المحدث‪ /‬من ضوابط األمن السيبراني للشبكة الوطنية ( (‪ NNCC‬للتنفيذ واالمتثال‪.‬‬

NNCC Domains and Structure
Domains and subdomains
The NNCC controls are comprised of multiple domains and subdomains, which are given in Figure 1,
below.
Subdomains Domains
Cybersecurity Policies and
1-2 Cybersecurity Strategy 1-1
Procedures
Cybersecurity Risk Cybersecurity Roles and
1-4 1-3
Management Responsibilities
Cybersecurity in
Periodical Cybersecurity Information and Cybersecurity 1
1-6 1-5
Review and Audit Technology Project Governance
Management
Cybersecurity Awareness and Cybersecurity in Human
1-8 1-7
Training Program Resources
Cybersecurity in Cybersecurity in Change
1-10 1-9
Configuration Management Management
Identity and Access
2-2 Asset Management 2-1
Management
Information System and
Networks Security
2-4 Information Processing 2-3
Management
Facilities Protection
Data and Information
2-6 Mobile Devices Security 2-5
Protection
Backup and Recovery
2-8 Cryptography 2-7
Management
Vulnerabilities Cybersecurity Defense 2
Penetration Testing 2-10 2-9
Management
Cybersecurity Event Logs
Cybersecurity Incident and
2-12 and Monitoring 2-11
Threat Management
Management
Transmission Media
2-14 Physical Security 2-13
Cybersecurity
Routing Security 2-16 Boundary Cybersecurity 2-15
DNS Security 2-17
Cybersecurity Resilience Aspects of Business Continuity Cybersecurity 3

3-1
Management (BCM) Resilience
Third-Party Cybersecurity 4-1 Third-Party 4

‫‪Subdomains‬‬ ‫‪Domains‬‬
‫‪Cybersecurity‬‬
‫‪Figure 1. NNCC Main Domains and Subdomains‬‬

Notation
Control documents issued by NCA have a unique identifier as shown in Figure 2.
NNCC - 1 : 2021
Version No.
Year of Issuance
National Networks Cybersecurity Controls
Figure 2. NNCC Control Document Coding Scheme
Further, controls within the document also have a unique identifier as given in Figure 3.
2 - 4 - 1 - 5
Subcontrol No.
Main Control No.
Subdomain No.
Main Domain No.
Figure 3. NNCC Main Domain, Subdomain, Main Control and Subcontrol Structure

Structure
Domains, subdomains, and controls within this document are structured as per Table 1.
Table 1. NNCC Methodological Structure for a Domain
1 Name of the Main Domain
Reference number of the Main Domain
Reference No. of the Subdomain Name of the Subdomain
Objective
Controls Level
Applicable
Control Reference Number Control Clauses
level
In addition to the notation and structure provided in the sections above, the green colored numbers
(e.g. 1-3-2) refer to subdomains or controls of the ECC – 1: 2018 or CSCC – 1: 2019.

The National Networks Cybersecurity Controls

Details of the National Networks Cybersecurity Controls.
1 Cybersecurity Governance
1. Cybersecurity Governance
1-1 Cybersecurity Strategy
To ensure that cybersecurity plans, goals, initiatives, and projects are contributing to the
Objective cybersecurity of the national network and compliance with related laws and regulations, and
organizational requirements.
Controls Level
With reference to ECC control 1-1-1, a cybersecurity strategy must be defined

1-1-1 All
and implemented to support the protection of national networks.
With reference to ECC control 1-1-3, the cybersecurity strategy must be

reviewed after: a change of the network categorization; following significant
1-1-2 All
changes in the network mission and services provided; or upon changes to
related laws and regulations.
1-2 Cybersecurity Policies and Procedures
To ensure that cybersecurity requirements of the national network are documented,

Objective communicated and complied as per related laws and regulations, and organizational
requirements.
Controls Level
With reference to ECC control 1-3-1, when new versions of policies and
procedures related to the national network are published, the versions that have
1-2-1 All
been disseminated to beneficiaries/clients and any other third parties must be
updated accordingly.
1-3 Cybersecurity Roles and Responsibilities
To ensure that roles and responsibilities are defined and implemented for all parties accessing
Objective the national network information and technology assets, as per organizational policies and
procedures, and related laws and regulations.
Controls Level
1-3-1 With reference to the ECC control 1-4-1, the following cybersecurity
requirements for cybersecurity roles and responsibilities must include, at a
minimum, the following:
1-3-1-1 Any cybersecurity roles and responsibilities must be assigned to High

qualified Saudi nationals only.

1-3-1-2 Critical cybersecurity roles and responsibilities must be assigned

All
to qualified Saudi nationals only.
With reference to ECC control 1-4-2, the cybersecurity roles and

responsibilities must be reviewed at least:
 Annually;
1-3-2  After a change of the network categorization; All
 Prior to significant changes in the network mission and services
provided; or
 Upon changes to related laws and regulations.
1-4 Cybersecurity Risk Management
To ensure managing cybersecurity risks in a methodological approach in order to protect the

Objective national network information and technology assets, as per organizational policies and
Controls Level
In addition to the subcontrols in ECC control 1-5-3, a comprehensive risk

assessment of the national network infrastructure and environment must be
performed at least:
 Annually;
1-4-1 All
 After a change of the network categorization;
provided; or
With reference to ECC control 1-5-2, a risk mitigating action plan must be
developed, documented, approved and executed as the result of the
1-4-2 All
implementation of the risk assessment procedures, and its implementation
status reviewed at least once every three months.
1-5 Cybersecurity in Information and Technology Project Management
To ensure that cybersecurity requirements and procedures are included in system information
development and deployment in order to protect the confidentiality, integrity and availability
Objective
of the national network information and technology assets as per organization policies and
Controls Level
In addition to the subcontrols in ECC control 1-6-2 and ECC control 1-6-3,
cybersecurity requirements for information system development and
deployment must include, at a minimum, the following:
1-5-1-1 Proper penetration testing and remediation of vulnerabilities

All
must be performed.
1-5-1
1-5-1-2 There must be different and isolated environments for
development, testing and production, with differentiated access All
rights and security policies.
1-5-1-3 Threat modelling must be performed and incorporated in the first High

stages of the development, prior to information system design

and implementation.
1-6 Periodical Cybersecurity Review and Audit
To ensure that applicable cybersecurity controls to the national network information and
Objective technology assets are implemented and in compliance with organizational policies and
procedures, as well as related national and international laws, regulations and agreements.
Controls Level
With reference to ECC control 1-8-1 and CSCC control 1-4-1, the compliance
and effectiveness of the cybersecurity controls implemented in the national
network must be assessed by the cybersecurity function at least according to all
of the following triggers:
1-6-1  Annually; All

provided; or
 Upon changes to related laws and regulations
With reference to ECC control 1-8-2 and CSCC control 1-4-2, the compliance
and effectiveness of the cybersecurity controls implemented in the national
All
network must be reviewed by independent third parties within the organization
at least with the following frequency:
1-6-2-1
 Once a year
 After a change of the network categorization; Medium,
 Prior to significant changes in the network mission and services High
1-6-2 provided; or
 Upon changes to related laws and regulations
1-6-2-2
 Once every three years;
Low
provided; or
1-7 Cybersecurity in Human Resources
To ensure that cybersecurity risks and requirements related to personnel (personnel and
contractors) accessing the national network information and technology assets are managed
Objective
efficiently prior to employment, during employment and after termination/separation as per
organizational policies and procedures, and related laws and regulations.
Controls Level
In addition to ECC control 1-9-5, the legal consequences arising from a

Medium,
1-7-1 confidentiality breach must be reminded to the employee during the process of
High
termination.

1-8 Cybersecurity Awareness and Training Program
To ensure that personnel are aware of their cybersecurity responsibilities, have the essential
cybersecurity awareness and required cybersecurity training, skills and credentials needed to
Objective
accomplish their cybersecurity responsibilities to protect the national network information and
technology assets.
Controls Level
In addition to the subcontrols in ECC control 1-10-3, the cybersecurity

requirements for the cybersecurity awareness program must include, at a
1-8-1  Alerting and management of any potential suspicious activity, All
 Main procedures and policies of the national network,
 Main security threats and best practices, and
 Secure management of sensitive information.
1-9 Cybersecurity in Change Management
To ensure that changes to the national network technology assets are properly controlled,
Objective registered and managed, as per organizational policies and procedures, and related laws and
regulations.
Controls Level
Cybersecurity requirements and procedures within national network change

management lifecycle must be defined, documented, approved and integrated
1-9-1 All
with the cybersecurity function processes, including cybersecurity risk
management and configuration management.
In addition to the subcontrols in ECC control 1-6-2 and ECC control 1-6-3, the
cybersecurity requirements within national network change management
lifecycle must include, at a minimum, the following:
1-9-2-1 Change requests must be assessed, classified and managed in

line with the risk management policy and risk tolerance policy of All
the organization running the network.
1-9-2
1-9-2-2 Change requests must include any relevant actor and technical
All
detail, including preparation, implementation and testing.
1-9-2-3 Compliance with change management procedures of executed Medium,

change requests must be reviewed at least every three months. High
1-9-2-4 Compliance with change management procedures of executed

Low
change requests must be reviewed at least every six months.
1-9-3 The cybersecurity requirements within national network change management All
lifecycle must be reviewed at least:
 Annually;
provided; or

1-10 Cybersecurity in Configuration Management
To ensure that the components and configurations of the national network technology assets
Objective are identified, controlled, registered and managed, as per organizational policies and
Controls Level
Cybersecurity requirements and procedures within national networks

configuration management lifecycle must be defined, documented, approved,
1-10-1 All
implemented and integrated with the cybersecurity function, including risk
management and change management.
Cybersecurity requirements for configuration baselines for national network

must be include, at a minimum, the following:
1-10-2-1 There must be established configuration baselines covering the

main technical parameters of the information systems, including
All
network devices, end user devices, servers, middleware and any
other technical component of the national network.
1-10-2-2 The configuration baselines for each information system and
criticality must be reviewed and updated at least:
 Once every two years; or All

 Prior to significant technical changes; or
1-10-2  Upon changes to related laws and regulations.
1-10-2-3 With reference to CSCC subcontrol 2-3-1-6, compliance of the

information systems configuration with the established baseline Low
must be assessed at least annually.
1-10-2-4 With reference to the CSCC subcontrol 2-3-1-6, compliance of

Medium,
the information systems configuration with the established
High
baseline must be monitored with automatic tools.
1-10-2-5 Deviations of baseline parameters in critical information systems

must generate an alert to be managed with the national network High
operational procedures.
The cybersecurity requirements for national network configuration

management lifecycle must be reviewed at least:
 Annually;
provided; or

2 Cybersecurity Defense
2. Cybersecurity Defense
2-1 Asset Management
To ensure that national network information and technology assets are identified and inventoried
Objective in order to assign adequate protection against loss of availability, confidentiality and integrity,
as per organization policies and procedures, and related laws and regulations.
Controls Level
With reference to ECC control 2-1-1, cybersecurity requirements for managing

national network information and technology assets must include, at a
2-1-1-1 Inventory management procedures must be developed and

All
implemented.
2-1-1
2-1-1-2 With reference to CSCC subcontrol 2-1-1-2, all assets must be
All
assigned a business and a technical custodian.
2-1-1-3 In addition to CSCC subcontrol 2-1-1-1, asset inventory must be

All
reviewed and updated at least annually.
2-1-1-4 Asset inventory must be controlled by an automated system. All
With reference to ECC controls 2-1-3 and 2-1-4, cybersecurity requirements for
acceptable use policy of information and technology assets must include, at a
2-1-2 2-1-2-1 All personnel with access to data and devices must sign a copy of
All
the acceptable use policy during the on-boarding process.
2-1-2-2 The adherence to the acceptable use policy of information and

All
devices must be monitored and reviewed at least annually.
2-1-3 With reference to ECC control 2-1-5, cybersecurity requirements for

information and technology classification, labelling and handling must include,
at a minimum, the following:
2-1-3-1 A set of procedures for information classification, labelling and

All
handling information assets must be developed and implemented.
2-1-3-2 Handling procedures must cover at least: data copying, storage,

All
transmitting, printing, emailing and deleting.
2-1-3-3 With reference to CSCC subcontrol 2-6-1-4, handling procedures All

must cover data retention and data disposal parameters and
requirements.

2-1-3-4 Classification, labelling and handling procedures must be

reviewed at least:
All
 Once every three years; or
2-2 Identity and Access Management
To ensure that logical access to the national network information and technology assets is
Objective restricted to authorized users on a need-to-know basis, and to prevent unauthorized access, as
per organization policies and procedures, and related laws and regulations.
Controls Level
In addition to ECC control 2-2-3, cybersecurity requirements for identity and

access management for national network must include, at a minimum, the
following:
2-2-1-1 With reference to ECC subcontrol 2-2-3-1 and CSCC subcontrol

2-2-1-3, user authentication for network systems must require All
Multi-Factor Authentication (MFA).
2-2-1-2 All system and device management logins must generate a log
All
entry and an alert.
2-2-1-3 The user account, including regular and privileged accounts, must
All
be blocked after several consecutive failed attempts.
2-2-1-4 All personnel must be assigned a unique user ID. The sharing of
All
such user ID with other personnel must be strictly prohibited.
2-2-1-5 Technical personnel must use different user IDs and devices for
2-2-1 All
day-to-day tasks than the privilege systems administration
accounts and devices.
2-2-1-6 With reference to CSCC subcontrol 2-2-1-5, the password

requirements length for passwords of privileged and service or
All
system accounts must be stronger than those of unprivileged
accounts.
2-2-1-7 User access rights requests must be registered, whether they are
provided or not, and must be provided through a formal process
All
involving the prior approval or the information system owner or
designed individual at least.
2-2-1-8 In addition to CSCC control 2-2-2, user accounts with roles

providing special or critical access rights assigned, including
remote access rights when applicable, must be reviewed at least All
once every three months, and any other unprivileged accounts and
service and system accounts at least annually.
2-3 Information System and Information Processing Facilities Protection
Objective To ensure the protection of the technology assets processing and storing information of the
national network (including network devices, servers, workstations and end-user devices)

against cyber risks.
Controls Level
In addition to ECC control 2-3-3, cybersecurity requirements for protecting

information systems and information processing facilities must include, at a
2-3-1-1 Information systems and data processing devices must include

All
baselines, as stated in NNCC subdomain 1-10.
2-3-1-2 With reference to CSCC subcontrol 2-7-1-2, the information

stored by the information system must be protected from All
unauthorized physical access.
2-3-1-3 Input and output physical ports, such as Universal Serial Bus
All
(USB), that are unnecessary must be disabled.
2-3-1-4 The information system must have its networking configuration

2-3-1 and capabilities restricted, including restrictions on connecting to
All
Wi-Fi networks, the use of Bluetooth or Wireless peer-to-peer
functionality.
2-3-1-5 Only secure versions of services and protocols offered by the

information system must be used, and any unnecessary service or All
protocol must be disabled.
2-3-1-6 Use of unsupported versions of operating systems and devices

must be assessed in line with the organization risk tolerance
All
policy, and a set of compensating cybersecurity controls must be
identified and implemented if the identified risk is accepted.
2-3-1-7 Patching and updating must follow change management

procedures and ensure that impacts on production systems and All
environments are minimized.
In addition to ECC subcontrol 2-3-3-4, cybersecurity requirements for the

implementation of clock synchronization with Network Time Protocol (NTP)
must include, at a minimum, the following:
2-3-2-1 The national network systems and devices must synchronize the
internal clocks using at least two accurate and trusted sources, one
All
of them in a different geographic region than the primary
authoritative time source.
2-3-2
2-3-2-2 The use of Network Time Security (NTS) extension must be
All
considered to secure NTP, when technically available.
2-3-2-3 Coordinated Universal Time (UTC) must be used in the NTP

All
servers.
2-3-2-4 Public queries to stratum NTP servers must be restricted, and

All
communication limited to known networks and hosts.

2-4 Networks Security Management
To ensure that the transmission of national network information and access to it through
Objective
network media is protected against cyber risks.
Controls Level
In addition to ECC control 2-5-3, cybersecurity requirements for network

security management for national network must include, at a minimum, the
following:
2-4-1-1 With reference to CSCC subcontrol 2-4-1-3, unused physical

access points to the network (e.g. wall outlets) must not provide All
direct access to the network by default.
2-4-1-2 With reference to CSCC subcontrol 2-4-1-3, devices connecting

All
to the network must be authenticated.
2-4-1
2-4-1-3 Documentation on network components and structure must be
developed, approved, regularly maintained, and access to it must All
be restricted in line with need-to-know principles.
2-4-1-4 Network traffic must be monitored and an alert must be triggered

after a configured threshold for specific workloads or suspicious All
activity.
2-4-1-5 Core network assets must be managed through an Out-of-Band

Medium,
network, i.e., a secure network isolated from all connected
High
networks.
With reference to ECC subcontrol 2-2-3-2, cybersecurity requirements for

remote access to the national network must include, at a minimum, the
following:
2-4-2-1 Remote access must be disabled by default, implemented based

on business needs, and assessed and managed with risk
All
management procedures, in line with the risk tolerance policy,
before any remote access functionality going live.
2-4-2 2-4-2-2 Remote access connection to the national network must be

restricted by default and be regulated through a procedure All
requiring approval from a responsible authority.
2-4-2-3 With reference to CSCC subcontrol 2-2-1-2, when possible,

remote access to the network must be restricted to defined High
whitelist IP addresses.
2-4-2-4 Remote access sessions must be terminated automatically after a

All
reasonable amount of time.
2-4-3 With reference to ECC subcontrol 2-5-3-1, cybersecurity requirements for

network segmentation for national network must include, at a minimum, the
following:

2-4-3-1 With reference to CSCC subcontrol 2-4-1-1 and CSCC subcontrol

2-4-1-7, visibility between network segments (open ports,
network services, etc.) must be analyzed and restricted based on All
technical capabilities and need-to-know principles, considering
business needs and identified risks.
2-4-3-2 Information systems and devices providing public services must

All
be located in a demilitarized zone (DMZ).
2-4-3-3 With reference to CSCC subcontrol 2-3-1-4, the network

segmentation must provide enough granularity to ensure that
systems, devices and end-user devices are placed in the All
appropriate network segment according to its criticality and
sensitivity.
2-4-3-4 Network devices must fail in safe mode. All
With reference to CSCC subcontrol 2-4-1-6, systems’, in open networks,

devices’ and end-user devices’ access to the Internet must be restricted by
2-4-4 default, provided based on business needs, assessed and managed with risk All
management procedures and be regulated through a procedure requiring
approval from a responsible authority.
2-4-5 With reference to ECC subcontrol 2-5-3-4, cybersecurity requirements for

wireless security management must include, at a minimum, the following:
2-4-5-1 With reference to CSCC subcontrol 2-4-1-4 and ECC subcontrol

2-5-3-4, wireless connectivity must be disabled by default,
implemented based on business needs, and assessed and managed All
with risk management procedures, in line with the risk tolerance
policy, before any wireless access functionality going live.
2-4-5-2 A comprehensive penetration testing exercise must be performed

All
for any wireless network before going live.
2-4-5-3 If functionality for wireless connection to the national network

exists, it must be restricted by default and be regulated through a All
procedure requiring approval from a responsible authority.
2-4-5-4 Access keys of wireless networks providing access to the internal

network must be changed once every three months, and every six All
months in any other case.
2-4-5-5 With reference to CSCC subcontrol 2-7-1-1, wireless networks

must use encryption algorithms that comply with the National All
Encryption Standard to encrypt information in transit.
2-4-5-6 Radio antennas and transmission power must be adjusted and

calibrated to reduce the transmission of the signal outside the All
organization facilities.
2-4-5-7 A Wireless Intrusion Prevention System (WIPS) must be used to All

monitor unauthorized or rogue wireless access points and devices.

2-4-5-8 Wireless access points Service Set Identifier (SSID) must be

changed to random values not related to the organization or the All
function of the network.
2-5 Mobile Devices Security
To ensure the protection of national network information managed and stored on mobile devices
Objective
(smartphones, tablets and PDAs).
Controls Level
In addition to ECC control 2-6-3, cybersecurity requirements for national

network information managed and stored on mobile devices must include, at a
2-5-1-1 With reference to CSCC subcontrol 2-5-1-1 and ECC control 2-6-
3, use of mobile devices to access the national network must be
restricted by default, provided based on business needs, and All
assessed and managed with risk management procedures, in line
with the risk tolerance policy.
2-5-1-2 Personally owned mobile devices must not be allowed to connect

to the national network or process information of the All
organization.
2-5-1-3 A list of supported mobile device models and manufacturers

authorized by the organization must be defined and updated All
regularly.
2-5-1 2-5-1-4 With reference to CSCC subcontrol 2-5-1-2, mobile devices must
implement storage encryption, access control systems, protection All
against brute-force attacks and malware protection.
2-5-1-5 Mobile devices must be updated to the latest version of the

operating system and the risk of using unsupported versions must All
be assessed and managed with risk management procedures.
2-5-1-6 Mobile devices must have restrictions to the use of Bluetooth,

Near Field Communication (NFC), Global Positioning System All
(GPS) and hotspot functionalities, when they are not necessary.
2-5-1-7 Mobile devices’ configuration must be controlled and managed

by the organization, and must prevent the end user from changing All
cybersecurity configuration parameters.
2-5-1-8 Organization owned mobile devices must restrict the use of

Medium,
Secure Digital (SD) cards and have Subscriber Identity Module
High
(SIM) card change monitored and restricted.
2-6 Data and Information Protection
To ensure that national network information is identified, classified, marked, and managed in a
Objective secure manner, in accordance as per organizational policies and procedures, and related laws
and regulations.

Controls Level
In addition to ECC control 2-7-3, cybersecurity requirements for the protection

and handling of national network data and information must include, at a
2-6-1-1 With reference to CSCC subcontrol 2-6-1-2, information systems

and facilities must be classified with the highest level of All
information stored or processed.
2-6-1 2-6-1-2 With reference to CSCC subcontrol 2-6-1-3, Data Loss/Leak

Prevention (DLP) mechanisms must be designed and
All
implemented, and its configuration reviewed at least annually or
when significant changes occur.
2-6-1-3 Documents must include their classification level as a watermark. Medium,

High
2-6-1-4 Printers must authenticate the user prior to printing. All
2-7 Cryptography
To ensure the adequate and efficient use of encryption mechanisms to protect the national
Objective network information in-transit and in-rest as per organizational policies and procedures, and
related laws and regulations.
Controls Level
In addition to ECC control 2-8-3, cybersecurity requirements for cryptography

must include, at a minimum, the following:
2-7-1-1 With reference to CSCC subcontrol 2-7-1-3, encryption must be

performed using NCA-approved algorithms, devices and methods,
All
2-7-1 in line with the "Advanced” encryption level required by the
National Cryptography Standard (NCS 1:2020).
2-7-1-2 Encryption devices must be subjected to independent verification

and validation performed by independent third parties endorsed High
by NCA.
2-7-2 Cybersecurity requirements for general routing security must include, at a

2-7-2-1 The private keys of root and issuing certificates of the national
All
network must be stored on a hardware security module (HSM).
2-7-2-2 The root and issuing certificates must not be stored on isolated
devices not connected to the Internet or any connecting third All
party.
2-7-2-3 Private keys and certificates must be rotated periodically at least All
every two years.

2-7-2-4 Certificate and key renewal and management must implement

All
automation.
2-7-3 Only secure versions of Transport Layer Security (TLS) must be used. All
A clear set of policies to guide the governance of the PKI, including a

2-7-4 Certificate Policy (CP) document and a Certificate Practice Statement (CPS) All
must be developed
2-8 Backup and Recovery Management
To ensure the protection of the national network information against accidental or intentional
Objective
loss as per organizational policies and procedures, and related laws and regulations.
Controls Level
In addition to ECC control 2-9-3, cybersecurity requirements national network

backup and recovery management must include, at a minimum, the following:
2-8-1-1 With reference to ECC subcontrol 2-9-3-1, data backups must

include configuration of network devices and audit logs from All
systems and devices.
2-8-1-2 With reference to ECC subcontrol 2-9-3-3, restoration tests of the

All
data backups must be performed at least once every three months.
2-8-1-3 With reference to CSCC subcontrol 2-8-1-2 and ECC control 2-9-
3, backup and recovery tasks must be monitored and controlled,
and performed using updated, “state-of-the-art”, automated tools All
well-suited for the technology environment of the national
network.
2-8-1
2-8-1-4 With reference to CSCC subcontrol 2-8-1-2, data backup
frequency must be aligned with organization data loss tolerance
requirements, cybersecurity requirements of the information being
All
backed up, industry best practices, recommendations and
guidelines established by the NCA, or requirements from the
National Data Management Office, if applicable.
2-8-1-5 Data backups made and/or managed by end-users (e.g. of their

workstations, databases, files, etc.) must be strictly prohibited and All
monitored.
2-8-1-6 An offline copy of data backups must be stored in encrypted form

in an external secure facility and regularly updated in line with the All
organization data loss tolerance requirements and needs.
2-9 Vulnerabilities Management
To ensure the timely and effective detection and remediation of technical vulnerabilities to
Objective
prevent their exploitation by malicious third parties.
Controls Level


network vulnerability management must include, at a minimum, the following:
2-9-1-1 With reference to CSCC subcontrol 2-9-1-1, execution of

vulnerability assessments must be monitored and controlled, and
performed using updated, “state-of-the-art”, automated tools well- All
suited for the environment analyzed, including authenticated
scanning when available.
2-9-1-2 With reference to ECC subcontrol 2-10-3-1 and CSCC subcontrol

2-9-1-2, vulnerability assessment of perimeter exposed systems
2-9-1 All
must be performed at least monthly, and at least every three
months for internal systems.
2-9-1-3 The organization must maintain a history of detected

All
vulnerabilities with their criticality and current status.
2-9-1-4 Remediation of non-critical vulnerabilities must be analyzed,

All
planned and executed in line with the organization risk tolerance.
2-9-1-5 Existing vulnerabilities explicitly not being remediated must be

All
properly documented and compensating controls must be applied.
2-10 Penetration Testing
To identify vulnerabilities and weaknesses in the national network infrastructure by conducting

Objective
simulated cyber-attacks using techniques and methods of malicious attackers.
Controls Level

network penetration testing must include, at a minimum, the following:
2-10-1-1 With reference to ECC subcontrol 2-11-3-1 and ECC subcontrol

2-11-3-2, black box penetration tests must be performed at least
All
every six months and include wired and wireless connections,
when applicable.
2-10-1 2-10-1-2 With reference to ECC subcontrol 2-11-3-2, grey box penetration
All
tests must be performed at least annually.
2-10-1-3 The results of penetration tests must be managed as sensitive

All
information.
2-10-1-4 Rules of Engagement (RoE) must be formally documented and

agreed with the assigned personnel before performing any All
penetration testing activity.
2-11 Cybersecurity Event Logs and Monitoring Management
To ensure timely collection, analysis and monitoring of cybersecurity events of the national
Objective network technology assets for early detection of potential cyber-attacks, operational failures and
suspicious activity.

Controls Level

network event logs and monitoring management must include, at a minimum,
the following:
2-11-1-1 With reference to CSCC subcontrol 2-11-1-1, a list of relevant

events of the national network technology assets must be defined All
and logged.
2-11-1-2 With reference to ECC subcontrol 2-12-3-4, cybersecurity event

All
monitoring must be performed with automated tools.
2-11-1
2-11-1-3 With reference to CSCC subcontrol 2-11-1-2, cryptographic
High
mechanisms must be used to ensure the integrity of audit logs.
2-11-1-4 With reference to ECC subcontrol 2-12-3-5 and in addition to

CSCC subcontrol 2-6-1-4, the retention period for cybersecurity
All
event logs must be at least eighteen months according to legal and
regulatory requirements.
2-11-1-5 Logging and monitoring processes on information systems must

All
be monitored.
2-12 Cybersecurity Incident and Threat Management
To ensure the effective and timely identification, detection, response and management of
potential cyber incidents to prevent or minimize the negative effects on the national network
Objective
information and technology assets, taking into account the Royal Decree No. 37140 of
14/8/1438H.
Controls Level
2-12-1 In addition to ECC control 2-13-3, cybersecurity requirements for cybersecurity

incident management must include, at a minimum, the following:
2-12-1-1 With reference to ECC subcontrol 2-13-3-1, cybersecurity

incident response plans and procedures must be communicated to
relevant parties, reviewed and updated at least:
 Annually; or All
 After significant changes cybersecurity incidents or
simulation cyber exercises, including contact information
and communication and escalation procedures.
2-12-1-2 The organization must integrate cybersecurity incident response

All
planning with disaster recovery and business continuity planning.
2-12-1-3 The organization must implement capabilities for the automated

Medium,
detection of advanced threats and cybersecurity incidents and its
High
efficacy must be reviewed at least annually.
2-12-1-4 The organization must maintain a cybersecurity incident register All

with the most relevant information: detection and occurrence

time, description and management details.
2-12-1-5 With reference to ECC subcontrol 2-13-3-3, the cybersecurity

incident must be reported as soon as it is confirmed and the report
All
analyzing the cybersecurity incident must be provided to NCA
within 48 hours after its closing.
2-12-1-6 A realistic cybersecurity incident simulation exercise involving

providers and relevant stakeholders must be conducted at least Medium,
annually, with progressive complexity, and an action plan must be High
generated to correct any deficiencies identified.
2-13 Physical Security
To ensure the protection of the national network information and technology assets from
Objective
unauthorized physical access, loss, theft and damage.
Controls Level
2-13-1 In addition to ECC control 2-14-3, cybersecurity requirements for physical

protection of national network information and technology assets must include,
at a minimum, the following:
2-13-1-1 Personnel on the premises must have their personal identification

card visible, specifying whether they are internal personnel, All
external personnel working on the premises, or guests.
2-13-1-2 Access control must be implemented with automated mechanisms

All
and the access log must be reviewed once a month.
2-13-1-3 Physical penetration tests must be performed at least annually. Medium,

High
2-13-1-4 There must be a guest access register, manual or automatic that is

All
reviewed at least once a month.
2-13-1-5 MFA must be used to access sensitive areas within the Medium,
organization such as rooms with data transmission equipment. High
2-13-1-6 Cell phones, cameras and recording devices must be prohibited Medium,
from entering the offices and sensitive areas of the organization. High
2-13-1-7 External personnel who do not work permanently on the premises

All
must be accompanied throughout their stay.
2-13-1-8 Personnel must take measures to prevent unauthorized access to

All
documentation and media.
2-13-1-9 Inactive users' computers must be automatically locked to prevent

unauthorized access to the computer sessions through physical All
access to the workstations.
2-13-1-10 With reference to ECC subcontrol 2-14-3-5, equipment entering All

and leaving the premises must be checked and registered.

2-13-1-11 Loading and unloading areas of the organization must be

physically segregated from the internal part of the facilities using All
access controls.
2-14 Transmission Media Cybersecurity
To ensure the protection of national network information when it is transmitted through physical
Objective
media against loss of availability, confidentiality, and integrity.
Controls Level
The cybersecurity requirements for national network transmission media must

2-14-1 All
be defined, documented, approved and implemented.
2-14-2 The cybersecurity requirements for national network transmission media must
include, at a minimum, the following:
2-14-2-1 Cabling must be installed and repaired by experienced

professionals with proper clearance checks for the network All
categorization affected.
2-14-2-2 Fiber optic cabling must be prioritized over copper cabling in new
All
facilities or modifications of current facilities.
2-14-2-3 Wall cabling must not be used on walls bordering the exterior, an
untrusted organization or separating rooms belonging to networks All
of different category levels.
2-14-2-4 Cable groups must exclusively include cables of the same

All
network.
2-14-2-5 Cable management infrastructure extending across uncontrolled

All
physical locations must be protected against unauthorized access.
2-14-2-6 Cable management infrastructure must terminate as close as

All
possible to the cabinet.
2-14-2-7 Cables and wall outlet boxes must use a cable color pattern that
Medium,
allows one to distinguish the classification of the information
High
transmitted or accessed.
2-14-2-8 Inspection of cabling infrastructure and patch panels must be Medium,

performed at least annually. High
2-14-2-9 A procedure for cabling labelling and identification must be

All
defined, implemented, and documented.
2-14-2-10 Conduits carrying cables, wall outlet boxes and cables must be
Medium,
properly labelled with the appropriate level of security for
High
inspection and maintenance.
2-14-2-11 High-level category cables shall use individual and dedicated High
cabinets.

2-14-2-12 High-level patch panels must be separated from lower category

High
patch panels using separated cabinets.
The cybersecurity requirements for national network transmission media must

be reviewed at least:
 Annually;
provided; or
2-15 Boundary Cybersecurity
To ensure a secure connection of the national network at connection points with other networks,
Objective internal or external to the organization, to protect information against loss of availability,
confidentiality, and integrity.
Controls Level
Cybersecurity requirements for boundary of national network systems and

2-15-1 All
devices must be defined, documented, approved and implemented.
Cybersecurity requirements for boundary of national network systems and

devices must include, at a minimum, the following:
2-15-2-1 Connection of the national network to the Internet must be

implemented based on business needs, assessed and managed with
risk management procedures, in line with the risk tolerance
All
policy, and a set of compensating cybersecurity controls must be
identified and implemented before any connectivity to public
infrastructure exists.
2-15-2-2 A gateway must be implemented between national networks of

different categorization level, including the connection to public All
infrastructure, when applicable.
2-15-2-3 A gateway providing connectivity between networks of different

2-15-2 Medium,
category that are operated by the same organization must be
High
managed from the higher category network.
2-15-2-4 The gateway must be the only communication path in and out of
the network and must fail securely in the event of an operational All
failure.
2-15-2-5 The gateway must implement stateful inspection, deny network

All
traffic by default and allow network traffic by exception.
2-15-2-6 The gateway must implement inspection of encrypted and

Medium,
application layer traffic for the detection of suspicious traffic or
High
threats.
2-15-2-7 The gateway must alert in real time of any potential cybersecurity
All
incidents.

2-15-2-8 With reference to CSCC subcontrol 2-4-1-2, the gateway

configuration must be reviewed at least once every six months, All
including traffic rules, when applicable.
2-15-2-9 Core network assets must be managed through an Out-of-Band

Medium,
network, i.e., a secure network isolated from all connected
High
networks.
2-15-2-10 Gateway administrators must be citizens of the Kingdom of Saudi

High
Arabia.
Cybersecurity requirements for boundary of national network must be reviewed

at least:
 Annually;
provided; or
2-16 Routing Security
To ensure that the national network information flow between the national network devices is
Objective
protected against cyber risks.
Controls Level
Cybersecurity requirements for routing protocols must include, at a minimum,

the following:
2-16-1 2-16-1-1 Network devices must implement the latest version of the
All
standard of the routing protocol being used.
2-16-1-2 Routing Information Protocol (RIP) version 1 must not be used. All
2-16-1-3 Only routing-related required protocols must be allowed in the All

infrastructure space.
Cybersecurity requirements for router neighbor communication must include, at

a minimum, the following:
2-16-2-1 Neighbor authentication using Message-Digest Algorithm 5 All

(MD5) must be used in BGP, IS-IS, RIPv2 and OSPF.
2-16-2-2 The status changes of routing neighbor sessions must be All

2-16-2 configured to be logged by default.
2-16-2-3 Routing traffic from neighbor routers must be filtered with

Access Control Lists, prefix lists or any other technical All
mechanism available.
2-16-2-4 The number of prefixes received from a BGP neighbor must be

limited, based in the usual number of routes received under All
normal conditions.

Cybersecurity requirements for general routing security must include, at a

2-16-3-1 Router interfaces must be passive by default and only those All
necessary must be explicitly activated.
2-16-3-2 General traffic directed to the routers must be filtered and All
2-16-3 restricted only to that necessary.
2-16-3-3 Control Plane Policing (CoPP) Quality of Service policies must

be implemented to reduce the impact of DoS attacks on the All
router’s control plane, when technically available.
2-16-3-4 Time To Live (TTL) security check must be enabled for routing All
updates in OSPF and BGP.
2-17 DNS Security
To ensure that the naming system used to access the resources provided by the national network
Objective
are protected against cyber risks.
Controls Level
With reference to ECC subcontrol 2-5-3-7, cybersecurity requirements for the

service availability of Domain Name Server (DNS) must include, at a minimum,
the following:
2-17-1 2-17-1-1 DNS servers must be configured in high-availability clusters. All
2-17-1-2 Public DNS servers must be geographically distributed in

All
different Autonomous System Numbers (ASNs) providers.
With reference to ECC subcontrol 2-5-3-7, cybersecurity requirements for

logging with respect to DNS must include, at a minimum, the following:
2-17-2
2-17-2-1 DNS traffic must be logged and monitored in real time to detect
All
potential threats and issues with queries and updates.
2-17-2-2 DNS traffic must be preserved according to the logging policy of

All
the national network.
2-17-3 With reference to ECC subcontrol 2-5-3-7, cybersecurity requirements for the
service security of DNS must include, at a minimum, the following
2-17-3-1 Domain Name System Security Extensions (DNS SEC) must be

implemented at least in publicly accessible servers when All
technically possible.
2-17-3-2 DNS must implement access control lists (ACLs) and transaction
signatures (TSIGs) and restrict zone transfers and malicious All
information gathering.
2-17-3-3 Primary DNS servers must be used exclusively to serve the All

national network DNS zones to the secondary DNS servers.
2-17-3-4 Authoritative and recursive DNS servers must be separated and

access from internal and external users be provided based on All
functionality.

3 Cybersecurity Resilience
3. Cybersecurity Resilience
3-1 Cybersecurity Resilience Aspects of Business Continuity Management (BCM)
To guarantee the continuity and resilience of the national network, the services it provides and
Objective
the business processes it supports in the event of disaster scenarios.
Controls Level
3-1-1 In addition to ECC control 3-1-3, cybersecurity requirements for national

network business continuity management must include, at a minimum, the
following:
3-1-1-1 Roles and responsibilities for business continuity and disaster

recovery, secure communication channels and escalation
All
procedures must be defined, implemented and communicated to
internal and relevant external parties.
3-1-1-2 Business continuity documentation must be stored in secure and

redundant locations, reviewed and updated at least:
 Annually;
 Prior to significant changes in the network mission and All
services provided;
 Upon changes to related laws and regulations; and
 After relevant continuity incidents or business continuity
tests.
3-1-1-3 The organization's processes and activities and their resource

needs must be identified, analyzed and established, including All
availability and data loss tolerance requirements.
3-1-1-4 The main risks and potential disaster scenarios with serious
All
impact on the organization must be identified and managed.
3-1-1-5 The datacentre and main communication rooms must implement

controls to ensure data and system availability in the event of
All
natural disasters, power failures, fire and flood and similar
disaster scenarios.
3-1-1-6 The critical equipment of the network must be redundant in

All
clustered configurations.
3-1-1-7 With reference to CSCC subcontrol 3-1-1-1, a backup datacentre

must be established, along with network and power line High
redundancy from different sources, UPS and power generators..
3-1-1-8 With reference to CSCC subcontrol 3-1-1-3, an annual program of All

disaster recovery testing must be established, including scenario,

simulation and live exercise testing, with progressive complexity

over time.
3-1-1-9 With reference to CSCC subcontrol 3-1-1-4, live disaster recovery

tests must be conducted every year, with progressive complexity All
over time and involving key providers and stakeholders.
3-1-1-10 A comprehensive report must be issued after the execution of

disaster recovery tests or the occurrence of real disaster events, All
and its results must be managed accordingly.

4 Third-Party Cybersecurity
4. Third-Party Cybersecurity
4-1 Third-Party Cybersecurity
To ensure protection of information and technology assets of the national network against risks
Objective arising from contracting with third parties, including the supply chain, outsourcing and managed
services, as per organizational policies and procedures and related laws and regulations.
Controls Level
In addition to ECC control 4-1-2, requirements for national network contracts

and agreements with third-parties must include, at a minimum, the following:
4-1-1-1 Disaster recovery and business continuity capabilities and

All
procedures must be included in the contract.
4-1-1-2 The right to audit the cybersecurity capabilities and procedures of

All
the third party must be included in the contract.
4-1-1 4-1-1-3 Procedures to transition the service to a different provider must be

All
defined and included in the contract.
4-1-1-4 With reference to CSCC subcontrol 4-1-1-1, the organization

must receive information about the experience and training of Medium,
external personnel involved in the contract and reserve the right to High
conduct additional vetting.
4-1-1-5 With reference to ECC subcontrol 4-1-2-3, the third party must
provide assurance of compliance with related NCA regulations All
and entity cybersecurity requirements.
In addition to ECC control 4-1-3, cybersecurity requirements for contracts and

agreements with IT outsourcing and managed services must include, at a
4-1-2-1 The third party must inform the organization immediately in the
event of a cybersecurity incident potentially affecting the service
4-1-2
(even when that has not been fully determined), identify key All
stakeholders, investigate the incident, and execute remediation
plans.
4-1-2-2 The third party must regularly inform of compliance with contract
All
terms and agreements.
Organization must be ensured that any clients and beneficiaries connecting to

4-1-3 the network are compliant with NNCC related measures as determined in the All
NNCC Code of Connection document.

Appendices
Appendix (A): Applicability of controls to network elements
This appendix gives a breakdown of applicability of all controls against the most common network
elements and factors. It should be noted that a National Network is composed of multiple physical and
abstract elements including:
 People (the technical and non-technical staff that support the network either directly or
indirectly),
 Locations (where infrastructure is installed), Third parties connecting to the network (e.g.
service providers),
 End-user devices (required to perform technical and non-technical tasks),
 A LAN network with supporting infrastructure (for instance, the local network where the
users connect will need to have a LDAP directory, data storage systems, repositories for
documentation and logs, etc.),
 A WAN network (the infrastructure that transmits the data of the network between the
clients).
The NNCC has been designed to cover all of these elements. However, for the sake of clarity
surrounding the technological aspects of the network, the following breakdown is used:
Network Type
 LAN (Local Area Network): A local area network is a collection of computers and peripheral
devices interconnected in one physical location and is comprised of cables, access points,
switches, routers, and other components that enable devices to connect to internal servers,
web servers, and other LANs. LAN includes technologies such as: Copper, Fiber, Coaxial,
Ethernet, ARP, IP, TCP/UDP, DHCP, 100BaseT/100BaseTX, 10BaseT (UTP), 1000BaseT.
 WAN (Wide Area Network): A wide area network is a geographically distributed
telecommunications network that interconnects devices from multiple locations. WANs use
various interconnection links without establishing ties to a physical location. WAN includes
technologies such as: Fiber, MPLS, Frame relay, SDLC, HDLC, ISDN, SD-WAN, X.25.
 Wireless: When referring to networks, wireless is the technology that allows data connections
to be established between two or more network nodes via radio waves and without relying on
physical connections. Wireless includes technologies such as: WLAN, WPA2, 802.1X/EAP,
TKIP, CCMP, Access point, WIMAX, FHSS, DSSS, OFDM.
Applicability is given in the table below:
Table 2. NNCC Applicability by Network Element
Network Element
Control Subcontrol LAN WAN Wireless
1-1-1
✓ ✓ ✓

‫‪Network Element‬‬
‫‪Control‬‬ ‫‪Subcontrol‬‬ ‫‪LAN‬‬ ‫‪WAN‬‬ ‫‪Wireless‬‬
‫‪1-1-2‬‬
‫✓‬ ‫✓‬ ‫✓‬
‫‪1-2-1‬‬
‫✓‬ ‫✓‬ ‫✓‬
‫‪1-3-1‬‬
‫‪1-3-1-1‬‬
‫✓‬ ‫✓‬ ‫✓‬
‫‪1-3-1-2‬‬
‫✓‬ ‫✓‬ ‫✓‬
‫‪1-3-2‬‬
‫✓‬ ‫✓‬ ‫✓‬
‫‪1-4-1‬‬
‫✓‬ ‫✓‬ ‫✓‬
‫‪1-4-2‬‬
‫✓‬ ‫✓‬ ‫✓‬
‫‪1-5-1‬‬
‫‪1-5-1-1‬‬
‫✓‬ ‫✓‬ ‫✓‬
‫‪1-5-1-2‬‬
‫✓‬ ‫✓‬ ‫✓‬
‫‪1-5-1-3‬‬
‫✓‬ ‫✓‬ ‫✓‬
‫‪1-6-1‬‬
‫✓‬ ‫✓‬ ‫✓‬
‫‪1-6-2‬‬
‫‪1-6-2-1‬‬
‫✓‬ ‫✓‬ ‫✓‬
‫‪1-6-2-2‬‬
‫✓‬ ‫✓‬ ‫✓‬
‫‪1-7-1‬‬
‫✓‬ ‫✓‬ ‫✓‬
‫‪1-8-1‬‬
‫✓‬ ‫✓‬ ‫✓‬
‫‪1-9-1‬‬
‫✓‬ ‫✓‬ ‫✓‬
‫‪1-9-2‬‬
‫‪1-9-2-1‬‬
‫✓‬ ‫✓‬ ‫✓‬

‫‪1-9-2-2‬‬
‫✓‬ ‫✓‬ ‫✓‬
‫‪1-9-2-3‬‬
‫✓‬ ‫✓‬ ‫✓‬
‫‪1-9-2-4‬‬
‫✓‬ ‫✓‬ ‫✓‬
‫‪1-9-3‬‬
‫✓‬ ‫✓‬ ‫✓‬
‫‪1-10-1‬‬
‫✓‬ ‫✓‬ ‫✓‬
‫‪1-10-2‬‬
‫‪1-10-2-1‬‬
‫✓‬ ‫✓‬ ‫✓‬
‫‪1-10-2-2‬‬
‫✓‬ ‫✓‬ ‫✓‬
‫‪1-10-2-3‬‬
‫✓‬ ‫✓‬ ‫✓‬
‫‪1-10-2-4‬‬
‫✓‬ ‫✓‬ ‫✓‬
‫‪1-10-2-5‬‬
‫✓‬ ‫✓‬ ‫✓‬
‫‪1-10-3‬‬
‫✓‬ ‫✓‬ ‫✓‬
‫‪2-1-1‬‬
‫‪2-1-1-1‬‬
‫✓‬ ‫✓‬ ‫✓‬
‫‪2-1-1-2‬‬
‫✓‬ ‫✓‬ ‫✓‬
‫‪2-1-1-3‬‬
‫✓‬ ‫✓‬ ‫✓‬
‫‪2-1-1-4‬‬
‫✓‬ ‫✓‬ ‫✓‬
‫‪2-1-2‬‬
‫‪2-1-2-1‬‬
‫✓‬ ‫✓‬ ‫✓‬
‫‪2-1-2-2‬‬
‫✓‬ ‫✓‬ ‫✓‬
‫‪2-1-3‬‬

‫‪2-1-3-1‬‬
‫✓‬ ‫✓‬ ‫✓‬
‫‪2-1-3-2‬‬
‫✓‬ ‫✓‬ ‫✓‬
‫‪2-1-3-3‬‬
‫✓‬ ‫✓‬ ‫✓‬
‫‪2-1-3-4‬‬
‫✓‬ ‫✓‬ ‫✓‬
‫‪2-2-1‬‬
‫‪2-2-1-1‬‬
‫✓‬ ‫‪X‬‬ ‫‪X‬‬
‫‪2-2-1-2‬‬
‫✓‬ ‫✓‬ ‫✓‬
‫‪2-2-1-3‬‬
‫✓‬ ‫‪X‬‬ ‫‪X‬‬
‫‪2-2-1-4‬‬
‫✓‬ ‫‪X‬‬ ‫‪X‬‬
‫‪2-2-1-5‬‬
‫✓‬ ‫✓‬ ‫✓‬
‫‪2-2-1-6‬‬
‫✓‬ ‫✓‬ ‫✓‬
‫‪2-2-1-7‬‬
‫✓‬ ‫✓‬ ‫✓‬
‫‪2-2-1-8‬‬
‫✓‬ ‫‪X‬‬ ‫‪X‬‬
‫‪2-3-1‬‬
‫‪2-3-1-1‬‬
‫✓‬ ‫✓‬ ‫✓‬
‫‪2-3-1-2‬‬
‫✓‬ ‫‪X‬‬ ‫‪X‬‬
‫‪2-3-1-3‬‬
‫✓‬ ‫‪X‬‬ ‫‪X‬‬
‫‪2-3-1-4‬‬
‫✓‬ ‫✓‬ ‫✓‬
‫‪2-3-1-5‬‬
‫✓‬ ‫✓‬ ‫✓‬
‫‪2-3-1-6‬‬
‫✓‬ ‫✓‬ ‫✓‬
‫‪2-3-1-7‬‬
‫✓‬ ‫✓‬ ‫✓‬

‫‪2-3-2‬‬
‫‪2-3-2-1‬‬
‫✓‬ ‫✓‬ ‫✓‬
‫‪2-3-2-2‬‬
‫✓‬ ‫✓‬ ‫✓‬
‫‪2-3-2-3‬‬
‫✓‬ ‫✓‬ ‫✓‬
‫‪2-3-2-4‬‬
‫‪NBED‬‬ ‫‪NBED‬‬ ‫‪NBED‬‬
‫‪2-4-1‬‬
‫‪2-4-1-1‬‬
‫✓‬ ‫‪X‬‬ ‫‪X‬‬
‫‪2-4-1-2‬‬
‫✓‬ ‫‪X‬‬ ‫‪X‬‬
‫‪2-4-1-3‬‬
‫✓‬ ‫✓‬ ‫✓‬
‫‪2-4-1-4‬‬
‫✓‬ ‫✓‬ ‫✓‬
‫‪2-4-1-5‬‬
‫‪2-4-2‬‬
‫‪2-4-2-1‬‬
‫✓‬ ‫‪X‬‬ ‫‪X‬‬
‫‪2-4-2-2‬‬
‫✓‬ ‫‪X‬‬ ‫‪X‬‬
‫‪2-4-2-3‬‬
‫✓‬ ‫‪X‬‬ ‫‪X‬‬
‫‪2-4-2-4‬‬
‫✓‬ ‫‪X‬‬ ‫‪X‬‬
‫‪2-4-3‬‬
‫‪2-4-3-1‬‬
‫✓‬ ‫‪X‬‬ ‫‪X‬‬
‫‪2-4-3-2‬‬
‫✓‬ ‫‪X‬‬ ‫‪X‬‬
‫‪2-4-3-3‬‬
‫✓‬ ‫‪X‬‬ ‫‪X‬‬
‫‪2-4-3-4‬‬
‫✓‬ ‫‪X‬‬ ‫‪X‬‬

‫‪2-4-4‬‬
‫‪2-4-5‬‬
‫‪2-4-5-1‬‬
‫‪X‬‬ ‫‪X‬‬ ‫✓‬
‫‪2-4-5-2‬‬
‫‪X‬‬ ‫‪X‬‬ ‫✓‬
‫‪2-4-5-3‬‬
‫‪X‬‬ ‫‪X‬‬ ‫✓‬
‫‪2-4-5-4‬‬
‫‪X‬‬ ‫‪X‬‬ ‫✓‬
‫‪2-4-5-5‬‬
‫‪X‬‬ ‫‪X‬‬ ‫✓‬
‫‪2-4-5-6‬‬
‫‪X‬‬ ‫‪X‬‬ ‫✓‬
‫‪2-4-5-7‬‬
‫‪X‬‬ ‫‪X‬‬ ‫✓‬
‫‪2-4-5-8‬‬
‫‪X‬‬ ‫‪X‬‬ ‫✓‬
‫‪2-5-1‬‬
‫‪2-5-1-1‬‬
‫✓‬ ‫‪X‬‬ ‫‪X‬‬
‫‪2-5-1-2‬‬
‫✓‬ ‫‪X‬‬ ‫‪X‬‬
‫‪2-5-1-3‬‬
‫✓‬ ‫‪X‬‬ ‫‪X‬‬
‫‪2-5-1-4‬‬
‫✓‬ ‫‪X‬‬ ‫‪X‬‬
‫‪2-5-1-5‬‬
‫✓‬ ‫‪X‬‬ ‫‪X‬‬
‫‪2-5-1-6‬‬
‫✓‬ ‫‪X‬‬ ‫‪X‬‬
‫‪2-5-1-7‬‬
‫✓‬ ‫‪X‬‬ ‫‪X‬‬
‫‪2-5-1-8‬‬
‫✓‬ ‫‪X‬‬ ‫‪X‬‬
‫‪2-6-1‬‬
‫‪2-6-1-1‬‬
‫✓‬ ‫✓‬ ‫✓‬

Network Element
2-6-1-2
✓ X X
2-6-1-3
✓ ✓ ✓
2-6-1-4
✓ X X
2-7-1
2-7-1-1
✓ ✓ ✓
2-7-1-2
✓ ✓ ✓
2-7-2
2-7-2-1
✓ ✓ ✓
2-7-2-2
✓ ✓ ✓
2-7-2-3
NBED NBED NBED
2-7-2-4
NBED NBED NBED
2-7-3
NBED NBED NBED
2-7-4
NBED NBED NBED
2-8-1
2-8-1-1
✓ X X
2-8-1-2
✓ X X
2-8-1-3
✓ X X
2-8-1-4
✓ X X
2-8-1-5
✓ X X
2-8-1-6
✓ X X
2-9-1

‫‪2-9-1-1‬‬
‫✓‬ ‫✓‬ ‫✓‬
‫‪2-9-1-2‬‬
‫✓‬ ‫✓‬ ‫✓‬
‫‪2-9-1-3‬‬
‫✓‬ ‫✓‬ ‫✓‬
‫‪2-9-1-4‬‬
‫✓‬ ‫✓‬ ‫✓‬
‫‪2-9-1-5‬‬
‫✓‬ ‫✓‬ ‫✓‬
‫‪2-10-1‬‬
‫‪2-10-1-1‬‬
‫✓‬ ‫✓‬ ‫✓‬
‫‪2-10-1-2‬‬
‫✓‬ ‫✓‬ ‫✓‬
‫‪2-10-1-3‬‬
‫✓‬ ‫✓‬ ‫✓‬
‫‪2-10-1-4‬‬
‫✓‬ ‫✓‬ ‫✓‬
‫‪2-11-1‬‬
‫‪2-11-1-1‬‬
‫✓‬ ‫✓‬ ‫✓‬
‫‪2-11-1-2‬‬
‫✓‬ ‫✓‬ ‫✓‬
‫‪2-11-1-3‬‬
‫✓‬ ‫✓‬ ‫✓‬
‫‪2-11-1-4‬‬
‫✓‬ ‫✓‬ ‫✓‬
‫‪2-11-1-5‬‬
‫✓‬ ‫✓‬ ‫✓‬
‫‪2-12-1‬‬
‫‪2-12-1-1‬‬
‫✓‬ ‫✓‬ ‫✓‬
‫‪2-12-1-2‬‬
‫✓‬ ‫✓‬ ‫✓‬
‫‪2-12-1-3‬‬
‫✓‬ ‫✓‬ ‫✓‬
‫‪2-12-1-4‬‬
‫✓‬ ‫✓‬ ‫✓‬

‫‪2-12-1-5‬‬
‫✓‬ ‫✓‬ ‫✓‬
‫‪2-12-1-6‬‬
‫✓‬ ‫✓‬ ‫✓‬
‫‪2-13-1‬‬
‫‪2-13-1-1‬‬
‫✓‬ ‫✓‬ ‫✓‬
‫‪2-13-1-2‬‬
‫✓‬ ‫✓‬ ‫✓‬
‫‪2-13-1-3‬‬
‫✓‬ ‫✓‬ ‫✓‬
‫‪2-13-1-4‬‬
‫✓‬ ‫✓‬ ‫✓‬
‫‪2-13-1-5‬‬
‫✓‬ ‫✓‬ ‫✓‬
‫‪2-13-1-6‬‬
‫✓‬ ‫✓‬ ‫✓‬
‫‪2-13-1-7‬‬
‫✓‬ ‫✓‬ ‫✓‬
‫‪2-13-1-8‬‬
‫✓‬ ‫✓‬ ‫✓‬
‫‪2-13-1-9‬‬
‫✓‬ ‫‪X‬‬ ‫‪X‬‬
‫‪2-13-1-10‬‬
‫✓‬ ‫✓‬ ‫✓‬
‫‪2-13-1-11‬‬
‫✓‬ ‫✓‬ ‫✓‬
‫‪2-14-1‬‬
‫✓‬ ‫✓‬ ‫✓‬
‫‪2-14-2‬‬
‫‪2-14-2-1‬‬
‫✓‬ ‫✓‬ ‫✓‬
‫‪2-14-2-2‬‬
‫‪X‬‬ ‫✓‬ ‫‪X‬‬
‫‪2-14-2-3‬‬
‫✓‬ ‫✓‬ ‫✓‬
‫‪2-14-2-4‬‬
‫✓‬ ‫✓‬ ‫✓‬
‫‪2-14-2-5‬‬
‫✓‬ ‫✓‬ ‫✓‬

‫‪2-14-2-6‬‬
‫‪X‬‬ ‫✓‬ ‫‪X‬‬
‫‪2-14-2-7‬‬
‫‪X‬‬ ‫✓‬ ‫‪X‬‬
‫‪2-14-2-8‬‬
‫✓‬ ‫✓‬ ‫✓‬
‫‪2-14-2-9‬‬
‫✓‬ ‫✓‬ ‫✓‬
‫‪2-14-2-10‬‬
‫✓‬ ‫✓‬ ‫✓‬
‫‪2-14-2-11‬‬
‫‪X‬‬ ‫✓‬ ‫‪X‬‬
‫‪2-14-2-12‬‬
‫‪X‬‬ ‫✓‬ ‫‪X‬‬
‫‪2-14-3‬‬
‫✓‬ ‫✓‬ ‫✓‬
‫‪2-15-1‬‬
‫✓‬ ‫✓‬ ‫✓‬
‫‪2-15-2‬‬
‫‪2-15-2-1‬‬
‫✓‬ ‫✓‬ ‫✓‬
‫‪2-15-2-2‬‬
‫‪X‬‬ ‫✓‬ ‫‪X‬‬
‫‪2-15-2-3‬‬
‫‪X‬‬ ‫✓‬ ‫‪X‬‬
‫‪2-15-2-4‬‬
‫‪X‬‬ ‫✓‬ ‫‪X‬‬
‫‪2-15-2-5‬‬
‫‪X‬‬ ‫✓‬ ‫‪X‬‬
‫‪2-15-2-6‬‬
‫‪X‬‬ ‫✓‬ ‫‪X‬‬
‫‪2-15-2-7‬‬
‫‪X‬‬ ‫✓‬ ‫‪X‬‬
‫‪2-15-2-8‬‬
‫‪X‬‬ ‫✓‬ ‫‪X‬‬
‫‪2-15-2-9‬‬
‫‪X‬‬ ‫✓‬ ‫‪X‬‬
‫‪2-15-2-10‬‬
‫‪X‬‬ ‫✓‬ ‫‪X‬‬
‫‪2-15-3‬‬
‫✓‬ ‫✓‬ ‫✓‬

Network Element
2-16-1
2-16-1-1
NBED NBED NBED
2-16-1-2
NBED NBED NBED
2-16-1-3
NBED NBED NBED
2-16-2
2-16-2-1
NBED NBED NBED
2-16-2-2
NBED NBED NBED
2-16-2-3
NBED NBED NBED
2-16-2-4
NBED NBED NBED
2-16-3
2-16-3-2
NBED NBED NBED
2-16-3-2
NBED NBED NBED
2-16-3-3
NBED NBED NBED
2-16-3-4
NBED NBED NBED
2-17-1
2-17-1-1
NBED NBED NBED
2-17-1-2
NBED NBED NBED
2-17-2
2-17-2-1
NBED NBED NBED
2-17-2-2
NBED NBED NBED
2-17-3

Network Element
2-17-3-2
NBED NBED NBED
2-17-3-2
NBED NBED NBED
2-17-3-3
NBED NBED NBED
2-17-3-4
NBED NBED NBED
3-1-1
3-1-1-1
✓ ✓ ✓
3-1-1-2
✓ ✓ ✓
3-1-1-3
✓ ✓ ✓
3-1-1-4
✓ ✓ ✓
3-1-1-5
X ✓ X
3-1-1-6
X ✓ X
3-1-1-7
X ✓ X
3-1-1-8
X ✓ X
3-1-1-9
X ✓ X
3-1-1-10
✓ ✓ ✓
4-1-1
4-1-1-1
✓ ✓ ✓
4-1-1-2
✓ ✓ ✓
4-1-1-3
✓ ✓ ✓
4-1-1-4
✓ ✓ ✓
4-1-1-5
✓ ✓ ✓

‫‪4-1-2‬‬
‫‪4-1-2-1‬‬
‫✓‬ ‫✓‬ ‫✓‬
‫‪4-1-2-2‬‬
‫✓‬ ‫✓‬ ‫✓‬
‫‪4-1-3‬‬
‫✓‬ ‫✓‬ ‫✓‬

Appendix (B): Applicability of controls to network nature
This appendix gives a breakdown of applicability of all controls against the most common network
natures. The following breakdown is used:
Open / Closed
 Open: This refers to a network that has access to other networks, for example via general
internet access, and is therefore accessible from outside of its own network limits.
 Closed: This refers to a network that is isolated from external access through other networks,
including via general internet access, and is therefore considered to be closed.
Applicability is given in the table below:
Table 3. NNCC Applicability by Network Nature
Network Nature
Control Subcontrol Open Closed
1-1-1
✓ ✓
1-1-2
✓ ✓
1-2-1
✓ ✓
1-3-1
1-3-1-1
✓ ✓
1-3-1-2
✓ ✓
1-3-2
✓ ✓
1-4-1
✓ ✓
1-4-2
✓ ✓
1-5-1
1-5-1-1
✓ ✓
1-5-1-2
✓ ✓
1-5-1-3
✓ ✓
1-6-1
✓ ✓

‫‪Network Nature‬‬
‫‪Control‬‬ ‫‪Subcontrol‬‬ ‫‪Open‬‬ ‫‪Closed‬‬
‫‪1-6-2‬‬
‫‪1-6-2-1‬‬
‫✓‬ ‫✓‬
‫‪1-6-2-2‬‬
‫✓‬ ‫✓‬
‫‪1-7-1‬‬
‫✓‬ ‫✓‬
‫‪1-8-1‬‬
‫✓‬ ‫✓‬
‫‪1-9-1‬‬
‫✓‬ ‫✓‬
‫‪1-9-2‬‬
‫‪1-9-2-1‬‬
‫✓‬ ‫✓‬
‫‪1-9-2-2‬‬
‫✓‬ ‫✓‬
‫‪1-9-2-3‬‬
‫✓‬ ‫✓‬
‫‪1-9-2-4‬‬
‫✓‬ ‫✓‬
‫‪1-9-3‬‬
‫✓‬ ‫✓‬
‫‪1-10-1‬‬
‫✓‬ ‫✓‬
‫‪1-10-2‬‬
‫‪1-10-2-1‬‬
‫✓‬ ‫✓‬
‫‪1-10-2-2‬‬
‫✓‬ ‫✓‬
‫‪1-10-2-3‬‬
‫✓‬ ‫✓‬
‫‪1-10-2-4‬‬
‫✓‬ ‫✓‬
‫‪1-10-2-5‬‬
‫✓‬ ‫✓‬
‫‪1-10-3‬‬
‫✓‬ ‫✓‬
‫‪2-1-1‬‬

‫‪2-1-1-1‬‬
‫✓‬ ‫✓‬
‫‪2-1-1-2‬‬
‫✓‬ ‫✓‬
‫‪2-1-1-3‬‬
‫✓‬ ‫✓‬
‫‪2-1-1-4‬‬
‫✓‬ ‫✓‬
‫‪2-1-2‬‬
‫‪2-1-2-1‬‬
‫✓‬ ‫✓‬
‫‪2-1-2-2‬‬
‫✓‬ ‫✓‬
‫‪2-1-3‬‬
‫‪2-1-3-1‬‬
‫✓‬ ‫✓‬
‫‪2-1-3-2‬‬
‫✓‬ ‫✓‬
‫‪2-1-3-3‬‬
‫✓‬ ‫✓‬
‫‪2-1-3-4‬‬
‫✓‬ ‫✓‬
‫‪2-2-1‬‬
‫‪2-2-1-1‬‬
‫✓‬ ‫✓‬
‫‪2-2-1-2‬‬
‫✓‬ ‫✓‬
‫‪2-2-1-3‬‬
‫✓‬ ‫✓‬
‫‪2-2-1-4‬‬
‫✓‬ ‫✓‬
‫‪2-2-1-5‬‬
‫✓‬ ‫✓‬
‫‪2-2-1-6‬‬
‫✓‬ ‫✓‬
‫‪2-2-1-7‬‬
‫✓‬ ‫✓‬
‫‪2-2-1-8‬‬
‫✓‬ ‫✓‬

‫‪2-3-1‬‬
‫‪2-3-1-1‬‬
‫✓‬ ‫✓‬
‫‪2-3-1-2‬‬
‫✓‬ ‫✓‬
‫‪2-3-1-3‬‬
‫✓‬ ‫✓‬
‫‪2-3-1-4‬‬
‫✓‬ ‫✓‬
‫‪2-3-1-5‬‬
‫✓‬ ‫✓‬
‫‪2-3-1-6‬‬
‫✓‬ ‫✓‬
‫‪2-3-1-7‬‬
‫✓‬ ‫✓‬
‫‪2-3-2‬‬
‫‪2-3-2-1‬‬
‫✓‬ ‫✓‬
‫‪2-3-2-2‬‬
‫✓‬ ‫✓‬
‫‪2-3-2-3‬‬
‫✓‬ ‫✓‬
‫‪2-3-2-4‬‬
‫‪NBED‬‬ ‫‪NBED‬‬
‫‪2-4-1‬‬
‫‪2-4-1-1‬‬
‫✓‬ ‫✓‬
‫‪2-4-1-2‬‬
‫✓‬ ‫✓‬
‫‪2-4-1-3‬‬
‫✓‬ ‫✓‬
‫‪2-4-1-4‬‬
‫✓‬ ‫✓‬
‫‪2-4-1-5‬‬
‫‪2-4-2‬‬
‫‪2-4-2-1‬‬
‫✓‬ ‫‪X‬‬

‫‪2-4-2-2‬‬
‫✓‬ ‫‪X‬‬
‫‪2-4-2-3‬‬
‫✓‬ ‫‪X‬‬
‫‪2-4-2-4‬‬
‫✓‬ ‫‪X‬‬
‫‪2-4-3‬‬
‫‪2-4-3-1‬‬
‫✓‬ ‫✓‬
‫‪2-4-3-2‬‬
‫✓‬ ‫✓‬
‫‪2-4-3-3‬‬
‫✓‬ ‫✓‬
‫‪2-4-3-4‬‬
‫✓‬ ‫✓‬
‫‪2-4-4‬‬
‫‪2-4-5‬‬
‫‪2-4-5-1‬‬
‫✓‬ ‫‪X‬‬
‫‪2-4-5-2‬‬
‫✓‬ ‫‪X‬‬
‫‪2-4-5-3‬‬
‫✓‬ ‫‪X‬‬
‫‪2-4-5-4‬‬
‫✓‬ ‫‪X‬‬
‫‪2-4-5-5‬‬
‫✓‬ ‫‪X‬‬
‫‪2-4-5-6‬‬
‫✓‬ ‫‪X‬‬
‫‪2-4-5-7‬‬
‫✓‬ ‫‪X‬‬
‫‪2-4-5-8‬‬
‫✓‬ ‫‪X‬‬
‫‪2-5-1‬‬
‫‪2-5-1-1‬‬
‫✓‬ ‫‪X‬‬
‫‪2-5-1-2‬‬
‫✓‬ ‫‪X‬‬

‫‪2-5-1-3‬‬
‫✓‬ ‫‪X‬‬
‫‪2-5-1-4‬‬
‫✓‬ ‫‪X‬‬
‫‪2-5-1-5‬‬
‫✓‬ ‫‪X‬‬
‫‪2-5-1-6‬‬
‫✓‬ ‫‪X‬‬
‫‪2-5-1-7‬‬
‫✓‬ ‫‪X‬‬
‫‪2-5-1-8‬‬
‫✓‬ ‫‪X‬‬
‫‪2-6-1‬‬
‫‪2-6-1-1‬‬
‫✓‬ ‫✓‬
‫‪2-6-1-2‬‬
‫✓‬ ‫✓‬
‫‪2-6-1-3‬‬
‫✓‬ ‫✓‬
‫‪2-6-1-4‬‬
‫✓‬ ‫✓‬
‫‪2-7-1‬‬
‫‪2-7-1-1‬‬
‫✓‬ ‫✓‬
‫‪2-7-1-2‬‬
‫✓‬ ‫✓‬
‫‪2-7-2‬‬
‫‪2-7-2-1‬‬
‫✓‬ ‫✓‬
‫‪2-7-2-2‬‬
‫✓‬ ‫✓‬
‫‪2-7-2-3‬‬
‫‪2-7-2-4‬‬
‫‪2-7-3‬‬
‫‪2-7-4‬‬

‫‪2-8-1‬‬
‫‪2-8-1-1‬‬
‫✓‬ ‫✓‬
‫‪2-8-1-2‬‬
‫✓‬ ‫✓‬
‫‪2-8-1-3‬‬
‫✓‬ ‫✓‬
‫‪2-8-1-4‬‬
‫✓‬ ‫✓‬
‫‪2-8-1-5‬‬
‫✓‬ ‫✓‬
‫‪2-8-1-6‬‬
‫✓‬ ‫✓‬
‫‪2-9-1‬‬
‫‪2-9-1-1‬‬
‫✓‬ ‫✓‬
‫‪2-9-1-2‬‬
‫✓‬ ‫✓‬
‫‪2-9-1-3‬‬
‫✓‬ ‫✓‬
‫‪2-9-1-4‬‬
‫✓‬ ‫✓‬
‫‪2-9-1-5‬‬
‫✓‬ ‫✓‬
‫‪2-10-1‬‬
‫‪2-10-1-1‬‬
‫✓‬ ‫✓‬
‫‪2-10-1-2‬‬
‫✓‬ ‫✓‬
‫‪2-10-1-3‬‬
‫✓‬ ‫✓‬
‫‪2-10-1-4‬‬
‫✓‬ ‫✓‬
‫‪2-11-1‬‬
‫‪2-11-1-1‬‬
‫✓‬ ‫✓‬
‫‪2-11-1-2‬‬
‫✓‬ ‫✓‬

‫‪2-11-1-3‬‬
‫✓‬ ‫✓‬
‫‪2-11-1-4‬‬
‫✓‬ ‫✓‬
‫‪2-11-1-5‬‬
‫✓‬ ‫✓‬
‫‪2-12-1‬‬
‫‪2-12-1-1‬‬
‫✓‬ ‫✓‬
‫‪2-12-1-2‬‬
‫✓‬ ‫✓‬
‫‪2-12-1-3‬‬
‫✓‬ ‫✓‬
‫‪2-12-1-4‬‬
‫✓‬ ‫✓‬
‫‪2-12-1-5‬‬
‫✓‬ ‫✓‬
‫‪2-12-1-6‬‬
‫✓‬ ‫✓‬
‫‪2-13-1‬‬
‫‪2-13-1-1‬‬
‫✓‬ ‫✓‬
‫‪2-13-1-2‬‬
‫✓‬ ‫✓‬
‫‪2-13-1-3‬‬
‫✓‬ ‫✓‬
‫‪2-13-1-4‬‬
‫✓‬ ‫✓‬
‫‪2-13-1-5‬‬
‫✓‬ ‫✓‬
‫‪2-13-1-6‬‬
‫✓‬ ‫✓‬
‫‪2-13-1-7‬‬
‫✓‬ ‫✓‬
‫‪2-13-1-8‬‬
‫✓‬ ‫✓‬
‫‪2-13-1-9‬‬
‫✓‬ ‫✓‬
‫‪2-13-1-10‬‬
‫✓‬ ‫✓‬

‫‪2-13-1-11‬‬
‫✓‬ ‫✓‬
‫‪2-14-1‬‬
‫✓‬ ‫✓‬
‫‪2-14-2‬‬
‫‪2-14-2-1‬‬
‫✓‬ ‫✓‬
‫‪2-14-2-2‬‬
‫✓‬ ‫✓‬
‫‪2-14-2-3‬‬
‫✓‬ ‫✓‬
‫‪2-14-2-4‬‬
‫✓‬ ‫✓‬
‫‪2-14-2-5‬‬
‫✓‬ ‫✓‬
‫‪2-14-2-6‬‬
‫✓‬ ‫✓‬
‫‪2-14-2-7‬‬
‫✓‬ ‫✓‬
‫‪2-14-2-8‬‬
‫✓‬ ‫✓‬
‫‪2-14-2-9‬‬
‫✓‬ ‫✓‬
‫‪2-14-2-10‬‬
‫✓‬ ‫✓‬
‫‪2-14-2-11‬‬
‫✓‬ ‫✓‬
‫‪2-14-2-12‬‬
‫✓‬ ‫✓‬
‫‪2-14-3‬‬
‫✓‬ ‫✓‬
‫‪2-15-1‬‬
‫✓‬ ‫✓‬
‫‪2-15-2‬‬
‫‪2-15-2-1‬‬
‫✓‬ ‫✓‬
‫‪2-15-2-2‬‬
‫✓‬ ‫✓‬
‫‪2-15-2-3‬‬
‫✓‬ ‫✓‬

Network Nature
2-15-2-4
✓ ✓
2-15-2-5
✓ ✓
2-15-2-6
✓ ✓
2-15-2-7
✓ ✓
2-15-2-8
✓ ✓
2-15-2-9
✓ ✓
2-15-2-10
✓ ✓
2-15-3
✓ ✓
2-16-1
2-16-1-1
NBED NBED
2-16-1-2
NBED NBED
2-16-1-3
NBED NBED
2-16-2
2-16-2-1
NBED NBED
2-16-2-2
NBED NBED
2-16-2-3
NBED NBED
2-16-2-4
NBED NBED
2-16-3
2-16-3-2
NBED NBED
2-16-3-2
NBED NBED
2-16-3-3
NBED NBED

Network Nature
2-16-3-4
NBED NBED
2-17-1
2-17-1-1
NBED NBED
2-17-1-2
NBED NBED
2-17-2
2-17-2-1
NBED NBED
2-17-2-2
NBED NBED
2-17-3
2-17-3-2
NBED NBED
2-17-3-2
NBED NBED
2-17-3-3
NBED NBED
2-17-3-4
NBED NBED
3-1-1
3-1-1-1
✓ ✓
3-1-1-2
✓ ✓
3-1-1-3
✓ ✓
3-1-1-4
✓ ✓
3-1-1-5
✓ ✓
3-1-1-6
✓ ✓
3-1-1-7
✓ ✓
3-1-1-8
✓ ✓

‫‪3-1-1-9‬‬
‫✓‬ ‫✓‬
‫‪3-1-1-10‬‬
‫✓‬ ‫✓‬
‫‪4-1-1‬‬
‫‪4-1-1-1‬‬
‫✓‬ ‫✓‬
‫‪4-1-1-2‬‬
‫✓‬ ‫✓‬
‫‪4-1-1-3‬‬
‫✓‬ ‫✓‬
‫‪4-1-1-4‬‬
‫✓‬ ‫✓‬
‫‪4-1-1-5‬‬
‫✓‬ ‫✓‬
‫‪4-1-2‬‬
‫‪4-1-2-1‬‬
‫✓‬ ‫✓‬
‫‪4-1-2-2‬‬
‫✓‬ ‫✓‬
‫‪4-1-3‬‬
‫✓‬ ‫✓‬

Appendix (C): List of Abbreviations
Abbreviation Full term

CSCC Critical Systems Cybersecurity Controls
DLP Data Loss/Leak Prevention
DMZ Demilitarized Zone
ECC Essential Cybersecurity Controls
GPS Global Positioning System
IP Internet Protocol
IT Information Technology
MFA Multi-Factor Authentication
NCA National Cybersecurity Authority
NFC Near Field Communication
NNCC National Network Cybersecurity Controls
SSID Service Set Identifier
VLAN Virtual Local Area Network
WIPS Wireless Intrusion Prevention System

Appendix (D): Terms and Definitions
Terminology Definition
Black Box Penetration Testing is a method of software testing that examines the
Black Box functionality of an application without peering into its internal structures or
Penetration Testing workings. This method of test can be applied virtually to every level of software
testing: unit, integration, system and acceptance.
The maximum amount of data loss, measured in time, that is acceptable to business
Data Loss Tolerance
requirements.
An intermediate system (interface, relay) that attaches to two (or more) computer
Gateway networks that have similar functions but dissimilar implementations and that enables
either one-way or two-way communication between the networks.
In a grey box penetration test, also known as a translucent box test, only limited
information is shared with the tester. Usually this takes the form of login credentials.
Grey Box Grey box testing is useful to help understand the level of access a privileged user
Penetration Testing could gain and the potential damage they could cause. Grey box tests strike a balance
between depth and efficiency and can be used to simulate either an insider threat or
an attack that has breached the network perimeter.
A discrete set of information resources organized for the collection, processing,
Information System
maintenance, use, sharing, dissemination, or disposition of information.
Physical Penetration Testing is a simulated intrusion attempt that is designed to
Physical Penetration identify weaknesses in an entity’s physical security. This is different from other
Testing types of penetration testing as the target is not a cyber one, instead, it is the physical
location.
Rules of Engagement (RoE) is a document that deals with the manner in which the
Rules of penetration test is to be conducted. Some of the directives that should be clearly
Engagement spelled out in RoE before an organization start the penetration test could be the type
and scope of testing, IT team notifications, and sensitive data handling measures.


Workstream 2 - NNCC Control Document - Arabic-V1.0

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Workstream 2 - NNCC Control Document - Arabic-V1.0

Uploaded by

Copyright:

Available Formats

‫مـقـيــــد‬

‫ضوابط األمن السيرباين للشبكة الوطنية (‪)NNCC‬‬

‫إشـ ـ ـ ــار ــة املشارـ ـ ــكة‪ :‬أب ـيــض‬

Disclaimer: The following controls will be governed by and implemented in

‫ب ـ ـ ـسـ ــم اهلل الرمحن الرحيم‬

‫بروتوكول اإلشارة الضوئية ‪)TLP(:‬‬

‫أحمر – شخصي وسري للمستلم فقط‬

‫برتقالي – مشاركة محدودة‬

‫أخضر – مشاركة مع نفس المجتمع‬

‫أبـــيــض – غير محدود‬

‫‪ 4‬تصنيف الوثيقة‪ :‬متاح‬

‫‪ 5‬تصنيف الوثيقة‪ :‬متاح‬

‫ متاح‬:‫ تصنيف الوثيقة‬6

‫ متاح‬:‫ تصنيف الوثيقة‬7

‫ متاح‬:‫ تصنيف الوثيقة‬8

‫‪ 29‬مكونات فرعية لضوابط األمن السيبراني( ‪) Cybersecurity Subdomains 29‬‬ ‫‪‬‬

‫أساسيا لألمن السيبراني ( ‪) Cybersecurity Main Controls 55‬‬

‫فرعيا لألمن السيبراني( ‪) Cybersecurity Sub controls 179‬‬

‫‪ 9‬تصنيف الوثيقة‪ :‬متاح‬

‫ متاح‬:‫ تصنيف الوثيقة‬10

‫أيضا باالمتثال لمتطلبات ك‪//‬ل من اـلضوابط‬

‫‪ 11‬تصنيف الوثيقة‪ :‬متاح‬

.‫ الوطنية‬/‫ضمان سرية وسالمة وتوافر البنى التحتية للشبكات‬ 

‫ متاح‬:‫ تصنيف الوثيقة‬12

‫تعريــف الشبكات الوطنيـة‬

These levels are presented below:

:‫يتم عرض هذه المستويات أدناه‬

‫ متاح‬:‫ تصنيف الوثيقة‬13

‫‪Network Categorization Methodology‬‬

‫منهجية تصنيف الشبكة‬

‫‪ 14‬تصنيف الوثيقة‪ :‬متاح‬

Scope of Work and Applicability

NNCC ‫نطاق العمل‬

 Government entities operating National Networks.

.‫ الوطنية‬/‫ الحكومية المشغلة للشبكات‬/‫الجهات‬ 

 Private organizations operating National Networks

‫ الخاصة التي تدير الشبكات الوطنية‬/‫المنظمات‬ 

 Providers of international network (e.g. those connecting embassies or international branches)

NNCC ‫بيان قابلية التطبيق‬

‫ متاح‬:‫ تصنيف الوثيقة‬15

‫أداة التقييم واالمتثال‬

‫‪ 16‬تصنيف الوثيقة‪ :‬متاح‬

NNCC Domains and Structure

Domains and subdomains

Routing Security 2-16 Boundary Cybersecurity 2-15

DNS Security 2-17

Cybersecurity Resilience Aspects of Business Continuity Cybersecurity 3

Third-Party Cybersecurity 4-1 Third-Party 4

‫ متاح‬:‫ تصنيف الوثيقة‬17

‫‪Figure 1. NNCC Main Domains and Subdomains‬‬

‫‪ 18‬تصنيف الوثيقة‪ :‬متاح‬

Control documents issued by NCA have a unique identifier as shown in Figure 2.

Figure 2. NNCC Control Document Coding Scheme

Main Control No.

Main Domain No.

‫ متاح‬:‫ تصنيف الوثيقة‬19

Table 1. NNCC Methodological Structure for a Domain

1 Name of the Main Domain

Reference number of the Main Domain

Reference No. of the Subdomain Name of the Subdomain

‫ متاح‬:‫ تصنيف الوثيقة‬20

The National Networks Cybersecurity Controls

1-1 Cybersecurity Strategy