SACS-003

Cloud Computing
Cybersecurity Standard

Saudi Aramco: Company General Use

 Document Responsibility: Information Security Department
SACS-003 | Issue Date: February 2020

Content

1. Purpose ........................................................................................................................................ 3
2. Scope ............................................................................................................................................ 3
3. Change Control ........................................................................................................................... 3
4. Policy Deviation .......................................................................................................................... 3
5. Terms and Definitions ............................................................................................................... 3
6. Public Cloud Computing Service PoC Requirements ........................................................ 4
7. General Requirements ........................................................................................................... 4
8. Public Cloud Computing Service Specific Requirements ................................................. 5
9. References ............................................................................................................................... 8
10. Approval ................................................................................................................................... 8

Saudi Aramco: Company General Use

2
Saudi Aramco: Company General Use
 Document Responsibility: Information Security Department
SACS-003 | Issue Date: February 2020

1. Purpose
This Standard defines the minimum requirements for the use of Public Cloud Computing Services
to host, store and/or process Saudi Aramco data or information.

2. Scope
This Standard applies to the use of Public Cloud Computing services that are not under the control
of Saudi Aramco, to host, store and/or process Saudi Aramco data or information. This includes
any Cloud Computing service model; such as Software as a Service (SaaS), Platform as a Service
(PaaS), and Infrastructure as a Service (IaaS).

3. Change Control
Changes made to the standard documentation will be highlighted using the following labelling
scheme.
Status Name Description

Modified An existing standard or guideline that has been changed.

A new standard or guideline that has been added and approved for
New
this release.

4. Policy Deviation
In the event compliance with this standard is not feasible, a waiver must be requested from
Information Security Department (ISD) through the Strategy and Policy Group.

5. Terms and Definitions

Please refer to the list of terms and definitions.

Saudi Aramco: Company General Use

3
Saudi Aramco: Company General Use
 Document Responsibility: Information Security Department
SACS-003 | Issue Date: February 2020

6. Public Cloud Computing Service PoC Requirements

The following section defines the requirements for Proof of Concept (PoC) on Public Cloud
Computing Service.
Control
Control Statement
Number

CS 1.1.1 Data Custodian must sanitize or obfuscate data or information to be hosted, processed
and/or stored in the Public Cloud Computing Services in such a way that the data cannot be
re-engineered back to Saudi Aramco or have any resemblance to Saudi Aramco data.
CS 1.1.2 Public Cloud Computing Service as a PoC must not contain Saudi Aramco branding or any
reference to Saudi Aramco.

7. General Requirements
This section defines the requirements for the utilization of Public Cloud Computing Services to
host, store and/or process Saudi Aramco data or information.
Control
Control Statement
Number

CS 1.1.3 All data must be classified by the Data Owner prior to storing, processing or hosting on a
Public Cloud service per GI 710.002.

CS 1.1.4 Data Custodian must obtain Data Owner’s approval as required by GI 710.002, prior to
storing, processing, and/or hosting Saudi Aramco data or information in Public Cloud
Computing Service.
CS 1.1.5 Data Custodian must request a Cloud Computing Assessment (CCA) for review to be
provided by: Information Security Department (ISD); and the Corporate Compliance
Department (CCD) prior to contracting for and utilization of any Public Cloud Computing
Service.
CS 1.1.6 Data Custodian must pass “Software Endorsement” process by Information Technology
Admin Area Demand Management on the selected Public Cloud Computing Service prior to
requesting a CCA.
CS 1.1.7 Data Owner, Data Custodian, and Public Cloud Service Provider must comply with all
requirements identified by the CCA.

CS 1.1.8 CCA must include evaluation of the legal risk to host, store or process Saudi Aramco
Information and Data in a Public Cloud Computing Service. CCD evaluation will consider
the following:
a) Compliance with applicable regulations governing cloud storage and hosting;
b) Legal risk of access to Saudi Aramco Information and Data by government entities

Saudi Aramco: Company General Use

4
Saudi Aramco: Company General Use
 Document Responsibility: Information Security Department
SACS-003 | Issue Date: February 2020

Control
Control Statement
Number

pursuant to laws such as the US Cloud Act,

c) Legal risk pertaining to personal information stored or hosted in a Public Cloud
Computing Service,
d) Compliance with applicable legally required technical and/or organizational
measures necessary to secure Saudi Aramco information and data.
CS 1.1.9 All approved Public Cloud Computing Services must be inventoried by Information
Technology Admin Area Asset Management.

CS 1.1.10 Data Owner or Data Custodian must regularly review and update the list of end-users
authorized to access the Cloud Computing service.

CS 1.1.11 Data Custodian must inform ISD and Information Technology Admin Area upon expiry or
termination of Public Cloud Computing Service.

CS 1.1.12 The hosting and storage of Saudi Aramco Information and Data must be within the
Kingdom of Saudi Arabia.

CS 1.1.13 Consultation with CCD must be obtained for any adjustment to Saudi Aramco pre-approved
data privacy & protection clauses in contracts/agreements with Public Cloud Service
Provider.
CS 1.1.14 ISD consent must be obtained for any adjustment to “Cybersecurity Terms and Conditions”
in contracts/agreements with Public Cloud Service Provider.

8. Public Cloud Computing Service Specific Requirements

In addition to the general requirements, this section defines the minimim cybersecuriy capabilities that
are required for the Public Cloud Computing Service.

Control
Control Statement
Number
CS 1.15 Data center of Cloud Service Provider must have physical perimeter security measures
(e.g. access-controlled entry gates, manned reception desks, video cameras) to prevent
unauthorized access to resources hosting or storing Saudi Aramco information or data.
CS 1.1.16 Data center of Cloud Service Provider must be certified by an internationally-recognized
authority.

CS 1.1.17 Data center of Cloud Service Provider must have the required tier rating as determined by
the Data Owner and Data Custodian to ensure data availability.

Saudi Aramco: Company General Use

5
Saudi Aramco: Company General Use
 Document Responsibility: Information Security Department
SACS-003 | Issue Date: February 2020

Control
Control Statement
Number
CS 1.1.18 Cloud Service Provider must provide high Availability of service fail-over to minimize
downtime or disruption as determined by the Data Owner or Data Custodian.

CS 1.1.19 Denial of Service protection must be implemented for Cloud Computing Services requiring
high Availability.

CS 1.1.20 Multi-Factor authentication must be used by the Data Owner and Data Custodian’s access
for maintaining and/or administering the Public Cloud Computing Service.

CS 1.1.21 Multi-Factor authentication must be enforced on end-users accessing the Public Cloud
Computing Service containing Saudi Aramco Sensitive Information.

CS 1.1.22 Multi-Factor authentication must be enforced on end-users accessing Content Management

Services (CMS) of Cloud Computing service.

CS 1.1.23 Sessions must be encrypted (i.e. using HTTPS) where sensitive Saudi Aramco information
or data will be transmitted from and to the Public Cloud Computing Services.

CS 1.1.24 Cloud Service Provider must have an encryption key management capability where data
encryption is used.

CS 1.1.25 Cloud Service Provider must provide encryption at rest for Saudi Aramco information or
data, including backups, unless classified as Public by the Data Owner.

CS 1.1.26 Cloud Service Provider must separate virtual servers, hosting or storing Saudi Aramco
information from other organizations.

CS 1.1.27 Cloud Service Provider must regularly apply security patches to the Cloud service
infrastructure.

CS 1.1.28 Cloud Service Provider must perform source-code vulnerability scanning prior to
deployment of applications and software in the Cloud service infrastructure.

CS 1.1.29 Cloud Service Provider must regularly perform security scans on the Cloud Computing
service to identify threats and vulnerabilities.

CS 1.1.30 Cloud Service Provider must have an up-to-date anti-virus software for Windows Operating
Systems.

CS 1.1.31 Cloud Service Provider must develop software in accordance with industry best practices

Saudi Aramco: Company General Use

6
Saudi Aramco: Company General Use
 Document Responsibility: Information Security Department
SACS-003 | Issue Date: February 2020

Control
Control Statement
Number
software development life cycle.

CS 1.1.32 Cloud Computing service must regularly have a penetration test performed by a reputable
third party.

CS 1.1.33 Cloud Service Provider must use firewalls and intrusion prevention mechanisms to secure
the cloud service.

CS 1.1.34 Cloud based web applications must be protected by a Web Application Firewall (WAF).

CS 1.1.35 Cloud Service Provider must have security measures in place to restrict and protect access
to the Saudi Aramco data by its employees or contractors.”

CS 1.1.36 Cloud Service Provider must harden information systems used for the cloud service.

CS 1.1.37 Cloud Service Provider must provide data backup and recovery capabilities.

CS 1.1.38 Cloud Service Provider must provide logging and security monitoring for Cloud Computing
infrastructure including access and modification to Saudi Aramco information or data.

CS 1.1.39 Security events and Audit logs on Saudi Aramco information or data hosted or stored in the
Cloud Computing Service must be logged and retained for a minimum of one (1) year.

CS 1.1.40 Cloud Service Provider must have a procedure or mechanism to timely inform Saudi
Aramco in case of a compromise or breach to Saudi Aramco information.

CS 1.1.41 Cloud Service Provider must perform on-boarding background checks on users with
administrative rights where sensitive Saudi Aramco information or data is hosted or
processed.
CS 1.1.42 The Cloud Provider must allow Saudi Aramco information or data to be returned in a usable
format upon service termination or disengagement.

CS 1.1.43 Cloud Service Provider must sanitize technology assets hosting or storing Saudi Aramco
information or data upon service termination or disengagement or by the end of the retention
period as stated in the Contract/Agreement, if defined.

Saudi Aramco: Company General Use

7
Saudi Aramco: Company General Use
 Document Responsibility: Information Security Department
SACS-003 | Issue Date: February 2020

9. References
This Standard has been developed to align with the National Cybersecurity Regulation,
Essential Cybersecurity Controls (ECC-1:2018) and cybersecurity industry best-practices.

10. Approval

Concur

________________________________
David R. Cherrington,
Manager, Corporate Compliance
Department (A)

Approve
_________________________________
Khalid S. Al-Harbi,
Chief Information Security Officer (A),
Information Security Department

Saudi Aramco: Company General Use

8
Saudi Aramco: Company General Use