Professional Documents
Culture Documents
CMA - Information Security Guidelines - V13 FINAL
CMA - Information Security Guidelines - V13 FINAL
No. E/1/2022
Issuing Information Security Guidelines
for Public Joint Stock Companies
Based on the Capital Market Law enacted by Royal Decree No. 80/98; and
The Commercial Companies Law enacted by Royal Decree No. 18/2019; and
The Regulation for public Joint Stock Companies issued by decision No. 27/2021; and
In the Interest of the public
First Article
The attached guidelines shall have effect with regard to information security for public joint
stock companies
Second Article
Public joint public stock companies shall amend their internal regulations and policies to be
consistent with the information security guidelines maximum within (3) three months from
the date of effect of this decision.
Third Article
This Circular shall have effect as from the date of issuance.
Official Page 2 of 11
Information Security Guidelines
1 Introduction
Information security is crucial to all organizations to protect their information and to conduct
their businesses without facing security and performance issues. Information security is defined
as the protection of information, the IT systems, hardware etc. that use, store and transmit that
information. Information Security is to combine systems, operations and internal controls to
ensure integrity and confidentiality of data and operation procedures in an organization.
In the ever-changing technological environment, Information security must keep pace with these
changes to enable organizations to create and operate in an environment of ‘Trust and
Confidence’. It must be considered an integral part of the systems
development life cycle process and explicitly addressed during each phase
of the process. Security related issues and loopholes must be dealt with in a proactive and
timely manner.
From the perspective of a regulator, CMA is mindful of the importance of information security in
the Public Joint Stock Companies that have public ownership and the cascading effect of any
adverse event on investor confidence across the capital market. While most of these companies
are understood to have robust infrastructure and policies to manage the risks, it is also critical to
establish a baseline and create a mechanism for periodic review and reporting, in order to
institutionalize such practices.
2 Purpose
This document sets out the minimum requirements that shall be complied with to protect the
Confidentiality, Integrity, and Availability of information and technology assets by adopting
global best practices and local information security legislations.
Decision No. 27/2021 Issuing the Regulation for Public Joint Stock Companies state :
Article (161): The roles and responsibilities of the internal auditor shall include but not be
limited to the following:
11. Review the information security system and control system, including applications control
system and the database management system to protect the security, integrity and
confidentiality of the company’s data.
Article (164): A risk-based internal audit plan for the year shall be prepared by the internal
audit unit before the commencement of the year, and shall be approved by the audit
committee. The plan should include:
Official Page 3 of 11
Information Security Guidelines
2. The plan shall reasonably cover all business processes as per the risk assessment and
professional judgement of the internal audit unit and shall also ensure that the following
department/business processes are covered at least once every year:
(f) Review of the automated internal controls including the information security and integrity
of the company’s information technology systems and databases.
In case, the SAOG company has already established a specific Risk Management
Committee of the Board or in future, it establishes such a committee, the information
security function should report to such committee either directly or through the
appointed Risk Manager (if any), instead of reporting to the Internal Auditor.
The information security function must be organized in a manner that is independent of
enterprise IT. It should have the authority to decide on information security measures to
be implemented by the company. The Internal Auditor should review and oversee the
implementation. The overall supervision shall rest with the Audit / Risk Management
Committee of the Board.
The Executive Management must provide the necessary support for establishing the
company’s policies, procedures to comply with these guidelines.
The Audit / Risk Management Committee of all listed companies shall establish a
mechanism to verify the effective implementation of the policies and procedures in each
quarter and a line in confirmation of compliance of these guidelines shall be carried in
the Annual Report of each year.
Official Page 4 of 11
Information Security Guidelines
Official Page 5 of 11
Information Security Guidelines
Official Page 6 of 11
Information Security Guidelines
Official Page 7 of 11
Information Security Guidelines
Official Page 8 of 11
Information Security Guidelines
Official Page 9 of 11
Information Security Guidelines
systems, people, and processes to identify and address security vulnerabilities and
sources of information security threats on a timely basis.
Information security assessments and testing shall, at a minimum, be carried out
annually or more frequently whenever changes are made that could have an impact
on the business or perceived threats.
The information security assessments shall detect any anomalies by carrying out
vulnerability assessments and penetration tests that replicate current attacks,
considering the size and complexity of Listed Companies’ business nature and the risk
exposures.
The information security assessments and testing shall also include, but not be limited
to (as applicable):
a) Regular vulnerability hardware and software scans and testing for client, server,
and network infrastructure to identify security control gaps;
b) Regular penetration testing of the network boundary (e.g., open network entry
and exit points) to identify security control gaps; and
c) Regular Vulnerability Assessment and Penetration Testing (VAPT) with an
independent third-party provider.
11 Data Classification
All Listed Companies should comply with data classification laws and legislations, especially
those issued by the NRAA and MTCIT.
Identify sensitive data elements within data fields.
Determine classification and mechanism of data encoding according to level of importance.
Identify privacy of data and information.
Create centralized platform for managing and controlling changes and providing access to
sensitive data assets.
Specify mechanism to measure level of data protection.
Identify and implement workflow plans of governance structure and key data elements and
fields.
Observe, monitor, and report workflow procedures.
12 Data Leakage
Listed Companies shall commit to implement strict controls and preventive measures to prevent
unauthorized data sharing/transfer intentionally by malicious insiders or unintentionally /
accidentally.
Official Page 10 of 11
Information Security Guidelines
5. Sensitive data storage should always be encrypted, as should the cached data.
//The End//
Official Page 11 of 11