Critical Systems Cybersecurity Controls

Free Trial

Endpoint Central helps comply with Critical Systems Cybersecurity Controls

In today’s rapidly evolving threat landscape, protecting your critical systems is non-negotiable. That’s where the Critical Systems Cybersecurity Controls (CSCC) developed by Saudi Arabia's National Cybersecurity Authority (NCA) comes into picture. This control is designed to help organizations bolster their critical systems and enhance their cyber resilience.

Understanding Critical Systems as defined by NCA:

"Any system or network whose failure, unauthorized change to its operation, unauthorized access to it, or to the data stored or processed by it, may result in a negative impact on the organization’s businesses and services’ availability or cause negative economic, financial, security, or social impacts on the national level."

NCA critical systems identification criteria:
1. Negative impact on national security.
2. Negative impact on the Kingdom’s reputation and public image.
3. Significant financial losses (i.e., more than 0.01% of GDP).
4. Negative impact on the services provided to a large number of users (i.e., more than 5% of the population)
5. Loss of lives.
6. Unauthorized disclosure of data that is classified as Top Secret or Secret.
7. Negative impact on the operations of one (or more) vital sectors.

Overview of the Critical System Cybersecurity Control:

  • 4 Main Domains
  • 21 Subdomains
  • 32 Main Controls
  • 73 Sub-controls

In the following sections, we’ll explore how Endpoint Central, ManageEngine’s comprehensive unified endpoint management and security solution, can help you develop a unified cybersecurity strategy in line with the Critical System Cybersecurity Controls.

 

 S.No  Critical Systems Cybersecurity Controls How Endpoint Central helps
2-1 Asset Management

To ensure that the organization has an accurate and detailed inventory of information technology assets in order to support the organization’s cybersecurity and operational requirements to maintain the confidentiality, integrity, and availability of information technical assets.

2-1-1 In addition to the controls in ECC subdomain 2-1, cybersecurity requirements for managing information technology assets must include at least the following:
2-1-1-1 Maintaining an annually-updated inventory of critical systems’ assets.
2-1-1-2 Identifying assets owners and involving them in the asset management lifecycle for critical systems.



Endpoint Central has comprehensive asset management capabilities for both hardware and software. It can list the critical computers, hardware, software, and files stored in your network.
2-2 Identity and Access Management

To ensure the secure and restricted logical access to information technology assets in order to prevent unauthorized access and allow only authorized access for users which are necessary to accomplish assigned tasks

2-2-1 In addition to the subcontrols in ECC control 2-2-3, cybersecurity requirements for identity and access management of critical systems must include at least the following:
2-2-1-1 Prohibiting remote access from outside the Kingdom of Saudi Arabia.
2-2-1-2 Restricting remote access from inside the Kingdom of Saudi Arabia and verifying each access attempt by the organization’s security operations center and continuously monitoring activities related to remote access.
2-2-1-3 Using multi-factor authentication for all users.
2-2-1-4 Using multi-factor authentication for privileged users, and on systems utilized for managing critical systems stated in control
2-2-1-5 Developing and implementing a high-standard and secure password policy.
2-2-1-6 Utilizing secure methods and algorithms for storing and processing passwords, such as: Hashing functions.
2-2-1-7 Securely managing service accounts for applications and systems, and disabling interactive login from these accounts.
2-2-1-8 Prohibiting direct access and interaction with databases for all users except for database administrators. Users' access and interaction with databases must be through applications only, with consideration given to applying security solutions that limit or prohibit visibility of classified data to database administrators.

2-2-2 With reference to ECC subcontrol 2-2-3-5, user identities and access rights to critical systems must be reviewed at least once every three months.



Endpoint Central has secure, HIPAA compliant remote desktop troubleshooting feature (Windows, Mac, and Linux) through which admins can perform remote screen sharing and allows them to troubleshoot critical endpoints after obtaining user confirmation from the end-user

 

 

 

 

 

 

 
2-3 Information System and Information Processing Facilities Protection

To ensure the protection of information systems and information processing facilities, (including workstations and infrastructures) against cyber risks.

In addition to the subcontrols in ECC control 2-3-3, cybersecurity requirements for protecting critical systems and information processing facilities must include at least the following:
2-3-1-1 Whitelisting of application and software operation files that are allowed to execute on servers hosting critical systems.
2-3-1-2 Protecting servers hosting critical systems using end-point protection solutions that are approved by the organization.
2-3-1-3 Applying security patches and updates at least once every month for external and internet-connected critical systems and at least once every three months for internal critical systems, in line with the organization’s approved change management mechanisms.
2-3-1-4 Allocating specific workstations in an isolated network (Management Network), that is isolated from other networks or services (e.g., email service or internet), to be used by highly privileged accounts.
2-3-1-5 Encrypting the network traffic of non-console administrative access for all technical components of critical systems using secure encryption algorithms and protocols.
2-3-1-6 Reviewing critical systems’ configurations and hardening at least once every six months.
2-3-1-7 Reviewing and changing default configurations, and ensuring the removal of hard-coded, backdoor and/or default passwords, where applicable.
2-3-1-8 Protecting systems’ logs and critical files from unauthorized access, tampering, illegitimate modification and/or deletion.



Endpoint Central's Application Control module allows the admins to allowlist/ blocklist software applications in critical endpoints.

Endpoint Central helps your organization comply with 75+ CIS benchmarks so that servers hosting critical applications are secured.

Endpoint Central also helps admins harden web servers , provide fixes for Zero-day vulnerabilities and security misconfigurations.

Endpoint Central provides comprehensive patch support for Windows, Linux, and macOSs and Windows Server OS. It also can patch 1,000+ third party applications, hardware drivers, and BIOS.

Endpoint Central's network neutral architecture allows our admins to manage critical endpoints even if they are isolated from the internet.
2-4 Networks Security Management

To ensure the protection of the organization’s network from cyber risks.

In addition to the sub controls in ECC control 2-5-3, cybersecurity requirements of critical systems’ network security management must include at least the following:
2-4-1-1 Logically and/or physically segregating and isolating critical systems' networks.
2-4-1-2 Reviewing firewall rules and access lists, at least once every six months.
2-4-1-3 Prohibiting direct connection between local network devices and critical systems unless those devices are scanned to ensure they have security controls that meet the acceptable security levels for critical systems.
2-4-1-4 Prohibiting critical systems from connecting to a wireless network.
2-4-1-5 Protecting against Advanced Persistent Threats (APT) at the network layer.
2-4-1-6 Prohibiting connection to the internet for critical systems that provide internal services to the organization and have no strong need to be accessed from outside the organization.
2-4-1-7 Critical systems that provide services to a limited number of organizations (not individuals), shall use networks isolated from the Internet.
2-4-1-8 Protecting against Distributed Denial of Service (DDoS) attacks to limit risks arising from these attacks.
2-4-1-9 Allowing only whitelisting for critical systems’ firewall access lists.
Endpoint Central's Custom Group feature enables the admins to logically segregate critical systems of their convenience so that they can manage and secure them effectively.

Endpoint Central comes handy for admins to configure Windows Firewall for the critical systems.

Restrict the devices from getting connected to public Wi-Fis. Or alternatively, admins can ensure that critical devices connect to their organization's WiFi through certificates.

Endpoint Central also enables the admins to create Wi-Fi profiles for the critical endpoints.

Endpoint Central's network neutral architecture allows our admins to manage critical endpoints even if they are isolated from the internet.
2-5 Mobile Devices Security

To ensure the protection of mobile devices (including laptops, smartphones, tablets) from cyber risks and to ensure the secure handling of the organization’s information (including sensitive information) while utilizing Bring Your Own Device (BYOD) policy.

In addition to the subcontrols in ECC control 2-6-3, cybersecurity requirements for mobile devices security and BYOD in the organization must include at least the following:
2-5-1-1 Prohibting access to critical systems from mobile devices except for a temporary period only, after assessing the risks and obtaining the necessary approvals from the cybersecurity function in the organization.
2-5-1-2 Implementing full disk encryption for mobile devices with access to critical systems.
Endpoint Central has conditional access policies to validate authorized users to access business critical systems and data.

Endpoint Central has Conditional Exchange Access to restrict access for unmanaged devices and permit only MDM approved BYOD devices to access the Exchange servers Endpoint Central can enable FileVault Encryption for Mac devices from its MDM.
2-6 Data and Information Protection

To Ensure the confidentiality, integrity, and availability of the organization’s data and information as per organizational policies and procedures, and related laws and regulations.

In addition to the subcontrols in ECC control 2-7-3, cybersecurity requirements for protecting and handling data and information must include at least the following:
2-6-1-1 Prohibiting the use of critical systems’ data in any environment other than production environment, except after applying strict controls for protecting that data, such as: data masking or data scrambling techniques.
2-6-1-2 Classifying all data within critical systems.
2-6-1-3 Protecting classified data of critical systems using data leakage prevention techniques.
2-6-1-4 Identifying the retention period for critical systems-associated data, in accordance with relevant legislations.
2-6-1-5 Only required data must be retained in critical systems’ production environments.
2-6-1-6 Prohibiting the transfer of any critical systems’ data from production environment to any other environment.


Endpoint Central delivers robust data leakage prevention features, allowing administrators to monitor and categorize data while controlling its flow across the IT environment.

With configurable policies for data transfers via cloud services and peripheral devices, it ensures secure handling of sensitive information.

 

 
2-7 Cryptography

To ensure the proper and efficient use of cryptography to protect information assets as per organizational policies and procedures, and related laws and regulations.

In addition to the subcontrols in ECC control 2-8-3, cybersecurity requirements for cryptography must include at least the following:
2-7-1-1 Encrypting all critical systems’ data-in-transit.
2-7-1-2 Encrypting all critical systems’ data-at-rest at the level of files, database or certain columns within database.
2-7-1-3 Using secure and up-to-date methods, algorithms, keys and devices in accordance with what NCA issues in this regard.
Endpoint Central empowers administrators to secure end-user devices by enabling BitLocker encryption for Windows systems and FileVault encryption for Mac devices, ensuring robust data protection.

With support for FIPS 140-2 compliant algorithms, Endpoint Central allows users to activate FIPS mode, delivering a highly secure environment for IT operations.
2-9 Vulnerabilities Management

To ensure timely detection and effective remediation of technical vulnerabilities to prevent or minimize the probability of exploiting these vulnerabilities to launch cyber attacks against the organization.

In addition to the subcontrols in ECC control 2-10-3, cybersecurity requirements for technical vulnerabilities management of critical systems must include at least the following:
2-9-1-1 Utilizing trusted methods and tools for vulnerabilities assessments.
2-9-1-2 Assessing and remediating vulnerabilities (by installing security updates and patches) on technical components of critical systems at least once every month for external and internet-connected critical systems, and at least once every three months for internal critical systems.
2-9-1-3 Immediately remediating for critical vulnerabilities, in line with change management processes approved by the organization. With reference to ECC subcontrol 2-10-3-1, vulnerabilities assessments must be conducted on critical systems’ technical components at least once every month.
Endpoint Central provides comprehensive vulnerability management in terms of constant assessment and visibility of threats from a single console. Apart from vulnerability assessment, it also provides built-in remediation of the vulnerabilities detected.

For both critical and non-critical information systems, Endpoint Central provides risk-based vulnerability management so that admins can prioritize the vulnerabilities based on metrics like CVSS score, CVE impact type, Patch availability, and much more.

 
2-11 Cybersecurity Event Logs and Monitoring Management

To ensure timely collection, analysis and monitoring of cybersecurity events for early detection of potential cyber-attacks in order to prevent or minimize the negative impacts on the organization’s operations.

2-11-1 In addition to the subcontrols in ECC control 2-12-3, cybersecurity requirements for event logs and monitoring management for critical systems must include at least the following:
Activating cybersecurity event logs on all technical components of critical systems.
2-11-1-1 Activating and monitoring of alerts and event logs related to file integrity management.
2-11-1-2 Monitoring and analyzing user behavior.
2-11-1-3 Monitoring critical systems security events around the clock.
2-11-1-4 Maintaining and protecting critical systems security events logs.
2-11-1-5 The log shall include all details (e.g., time, date, ID and affected system).

With reference to ECC subcontrol 2-12-3-5, retention period of cybersecurity’s critical systems event logs must be 18 months minimum, in accordance with relevant legislative and regulatory requirements.


Endpoint Central has a built-in next gen antivirus engine (currently available as early access) that proactively detects cyber threats with its AI-assisted, real-time behavior detection and deep learning technology.

Apart from real-time threat detection, Endpoint Central also actively performs incident forensics so that SecOps analyze the root cause and severity of the threats. Refer to Eventlog Analyzer - ManageEngine's Log Analyser tool

 

 

 
2-12 Web Application Security

To ensure the protection of Internet-Facing web applications against cyber risk. In addition to the subcontrols in ECC control 2-15-3, cybersecurity requirements for external web applications for the organization’s critical systems must include at least the following:

2-12-1-1 Secure session management, including session authenticity, session lockout and session timeout. 2-12-1-2 Applying the minimum standards of Open Web Application Security Project (OWASP) Top Ten.

With reference to ECC subcontrol 2-15-3-2, multi-tier architecture principle, with minimum 3 tiers, must be used.


Endpoint Central enables secure browsing by enabling admins to enforce extensive threat protection configurations.

 

 
2-13 Application Security

To ensure the protection of the critical systems’ internal applications against cyber risks.

2-13-1 The cybersecurity requirements for critical systems’ internal applications must be implemented.

2-13-2 The cybersecurity requirements for critical systems’ internal applications must include at least the following:
2-13-3-1 Adopting multi-tier architecture principle, provided that number of tiers is not less than three.
2-13-3-2 Using secure protocols (e.g., HTTPS).
2-13-3-3 Outlining the acceptable use policy for users.
2-13-3-4 Secure session management, including session authenticity, session lockout and session timeout. The cybersecurity requirements for critical systems’ internal applications must be reviewed periodically.


Endpoint Central has provisions to distribute terms of use policies to users that can contain security mandates, compliances, and recommendations.

Endpoint Central enables secure browsing by enabling admins to enforce extensive threat protection configurations.

 

 

 

Was this article helpful?

Thank you for your feedback!

Sorry about that!

By clicking "Submit", you agree to processing of personal data according to thePrivacy Policy.

Trusted by

Back to Top