🔐 Cybersecurity Glossary

The regulatory requirements under PDPL for transferring personal data outside Saudi Arabia, requiring data controllers to ensure adequate protection levels in the receiving country, obtain necessary approvals, implement appropriate safeguards such as standard contractual clauses, and maintain accountability for data protection throughout the transfer process.

The mandatory process of reporting cybersecurity incidents to relevant regulatory authorities, affected parties, and stakeholders within specified timeframes, including details about the nature, scope, and impact of the incident as required by applicable regulations.

The mandatory or voluntary process of notifying relevant authorities, stakeholders, and affected parties about cybersecurity incidents within specified timeframes. In Saudi Arabia, this includes reporting to NCA for critical infrastructure and SAMA for financial institutions.

An NCA ECC control domain requiring organizations to maintain a comprehensive inventory of all information assets, including hardware, software, data, and network components, with proper classification, ownership assignment, and lifecycle management to ensure adequate protection measures.

The second domain of the NCA ECC framework that encompasses technical and operational controls for protecting information systems, networks, and data, including access control, network security, encryption, vulnerability management, and security monitoring capabilities.

The first domain of the NCA ECC framework that establishes requirements for organizational leadership, cybersecurity strategy, policies, risk management, and compliance programs to ensure effective oversight and accountability for cybersecurity across the organization.

The first domain of SAMA CSF that requires financial institutions to establish comprehensive cybersecurity governance structures, including board-level oversight, cybersecurity strategy, risk management frameworks, policies and procedures, and organizational roles and responsibilities for managing cybersecurity risks.

An NCA ECC control domain requiring organizations to establish formal capabilities for detecting, analyzing, containing, eradicating, and recovering from cybersecurity incidents, including mandatory reporting to NCA within specified timeframes for incidents affecting critical systems or sensitive data.

A classification system within the NCA ECC framework that categorizes organizations into different maturity levels (Basic, Intermediate, Advanced) based on their criticality and risk profile, determining the depth and rigor of cybersecurity controls they must implement.

The third domain of SAMA CSF requiring financial institutions to develop and maintain capabilities to withstand, respond to, and recover from cybersecurity incidents, including incident response plans, business continuity and disaster recovery programs, backup strategies, and regular testing exercises to ensure operational resilience.

Rights granted to individuals under PDPL including the right to access, rectify, erase, restrict processing, data portability, and object to processing of their personal data, which organizations must facilitate and respond to within specified timeframes.

The systematic collection, preservation, analysis, and documentation of digital evidence from security incidents to determine the root cause, scope of compromise, attack vectors, and support legal proceedings or regulatory reporting.

A mandatory periodic evaluation process conducted by organizations subject to NCA ECC requirements to measure their adherence to the prescribed cybersecurity controls. The assessment involves self-evaluation, documentation review, technical testing, and may include third-party audits. Organizations must submit compliance reports to the NCA demonstrating implementation status, identified gaps, and remediation plans, with assessments typically required annually or following significant system changes.

A classification system within the NCA ECC framework that defines three progressive maturity levels for implementing cybersecurity controls based on organizational risk profile and criticality. Level 1 represents basic cybersecurity practices, Level 2 indicates intermediate security measures, and Level 3 denotes advanced security capabilities. Organizations must achieve the maturity level appropriate to their classification as determined by NCA.

A structured assessment methodology within the NCA ECC framework that measures an organization's cybersecurity maturity across five levels: Level 1 (Initial), Level 2 (Developing), Level 3 (Defined), Level 4 (Managed), and Level 5 (Optimized). Organizations are required to achieve specific maturity levels based on their classification and criticality, with higher-risk entities expected to reach higher maturity levels.

A framework of policies, processes, and technologies that enables organizations to manage digital identities and control user access to critical information and systems. IAM ensures that the right individuals access the right resources at the right times for the right reasons.

The process of limiting the scope and impact of a security incident by isolating affected systems, preventing lateral movement of threats, and stopping the incident from spreading to other parts of the network or organization.

The mandatory process of informing relevant stakeholders, regulatory authorities, and affected parties about security incidents within specified timeframes, including details about the nature, impact, and remediation measures of the incident.

A designated group of trained professionals responsible for managing and coordinating responses to cybersecurity incidents. The team typically includes technical experts, legal advisors, communications specialists, and management representatives who work together to contain, investigate, and remediate security breaches.

The adherence to Saudi Arabia's Personal Data Protection Law, which establishes requirements for the collection, processing, storage, and transfer of personal data to protect individuals' privacy rights and ensure data controllers and processors implement appropriate technical and organizational measures.

An access control method within IAM that assigns system permissions to users based on their organizational roles rather than individual identities. RBAC simplifies access management by grouping permissions into roles, ensuring users only have access necessary to perform their job functions in accordance with the principle of least privilege.

The fifth domain of the NCA ECC framework that establishes requirements for managing cybersecurity risks associated with third-party service providers, vendors, and cloud service providers, including due diligence, contractual security requirements, and ongoing monitoring of external parties.

The fourth domain of SAMA CSF that mandates financial institutions to implement comprehensive third-party risk management programs, including vendor due diligence, contractual security requirements, continuous monitoring of third-party security posture, and incident notification obligations for service providers handling sensitive financial data.

An NCA ECC control domain mandating organizations to assess, monitor, and manage cybersecurity risks associated with vendors, suppliers, service providers, and other external parties that have access to organizational systems or data, including contractual security requirements and ongoing compliance verification.

A systematic approach to identifying, evaluating, treating, and reporting security vulnerabilities in systems and software, including continuous monitoring and remediation processes to reduce organizational risk exposure.