In November 2021, the Saudi Central Bank (SAMA) issued a circular on IT governance frameworks (ITGFs) as part of its cybersecurity rules and instructions. SAMA recognises that – while IT is playing an increasingly fundamental role in today’s data-driven environments – IT also exposes the financial institutions (FIs) it regulates to dynamically evolving IT risks and governance requirements. In response to those risks, SAMA has developed an ITGF that will enable SAMA-regulated businesses to effectively identify and address IT-related risks – and which FIs and SAMA can use to assess maturity levels and evaluate the effectiveness of IT controls.
IT governance and leadership
- IT governance structure defined, endorsed and supported with appropriate resources
- IT strategy aligned with strategic objectives and complies with legal and regulatory requirements
- Enterprise architecture outlines business processes, data and supporting technology layers
- IT policies and procedures are defined, approved, communicated and implemented
- IT roles and responsibilities defined and understood
- Relevant regulations identified, communicated and complied with
- IT internal audits verify IT controls implemented and operating as intended
- Staff have required skills and knowledge
- Efficiency and effectiveness of IT processes and services continuously measured through KPIs
IT risk management
- ITRM processes defined, approved, implemented, communicated and aligned with ERM processes
- Assets identified, recorded and maintained
- Controls and risks analysed based on likelihood of occurrences and resulting impact
- IT risks associated with IT assets treated based on applicable criteria
- IT risks treated according to defined treatment plans and effectively reviewed, monitored and reported
Operations management
- Accurate inventory provided by asset management process
- Interdependencies for critical assets identified and managed
- Contractual terms and conditions governing roles, relationships, obligations and responsibilities of stakeholders developed and controlled
- Business functions supported through service availability and capacity management
- Physical controls designed and implemented to protect IT facilities and equipment from damage/unauthorised access
- IT event management and network architecture controls protect network from unauthorised access
- Batch management process efficiently bulk processes automated tasks
- IT incident management process identifies, responds and handles incidents and reports relevant incidents to SAMA
- Procedures to report problems defined to minimise impact
- Data backup management strategy and procedures defined, approved and implemented
- Process to create, distribute, store, use and retire virtualised images defined and managed
System change management
- Change management process ensures asset changes classified, tested and approved before deployment
- Changes to information assets defined, documented and approved by owner before implementation
- Acquisition process ensures system acquisition/vendor service risks adequately assessed and mitigated
- System development methodology ensures system is developed in a strictly controlled manner
- Information system changes tested in test environment to ensure business requirements are met – and defects/vulnerabilities identified before release to production environment
- Cyber security requirements defined and tested in a testing environment to identify and mitigate security vulnerabilities before release to production environment
- Change release management process strictly controls system changes
- System configuration management process maintains reliable/accurate information about configuration items
- Patch management process up-to-date with latest applicable/relevant patches installed
- Process manages IT projects and related risks throughout project lifecycle
- QA process aligns quality of changes/development with business/user requirements before release to production
Our ITGF assessment methodology
Our market-leading team – which has significant ITGF expertise – can assess the maturity of your current and to be IT governance framework against SAMA’s maturity framework.
