Circular

No. E/1/2022
Issuing Information Security Guidelines
for Public Joint Stock Companies

 Based on the Capital Market Law enacted by Royal Decree No. 80/98; and
 The Commercial Companies Law enacted by Royal Decree No. 18/2019; and
 The Regulation for public Joint Stock Companies issued by decision No. 27/2021; and
 In the Interest of the public

It has been decided

First Article
The attached guidelines shall have effect with regard to information security for public joint
stock companies

Second Article
Public joint public stock companies shall amend their internal regulations and policies to be
consistent with the information security guidelines maximum within (3) three months from
the date of effect of this decision.

Third Article
This Circular shall have effect as from the date of issuance.

Issued on: 2 Jumada II, 1443

Corresponding to: 5 January, 2022

Abdullah Salim Abdullah Al Salmi

Executive President
 Information Security Guidelines

Information Security Guidelines

For
Public Joint Stock Companies

Official Page 2 of 11
 Information Security Guidelines

1 Introduction
Information security is crucial to all organizations to protect their information and to conduct
their businesses without facing security and performance issues. Information security is defined
as the protection of information, the IT systems, hardware etc. that use, store and transmit that
information. Information Security is to combine systems, operations and internal controls to
ensure integrity and confidentiality of data and operation procedures in an organization.
In the ever-changing technological environment, Information security must keep pace with these
changes to enable organizations to create and operate in an environment of ‘Trust and
Confidence’. It must be considered an integral part of the systems
development life cycle process and explicitly addressed during each phase
of the process. Security related issues and loopholes must be dealt with in a proactive and
timely manner.
From the perspective of a regulator, CMA is mindful of the importance of information security in
the Public Joint Stock Companies that have public ownership and the cascading effect of any
adverse event on investor confidence across the capital market. While most of these companies
are understood to have robust infrastructure and policies to manage the risks, it is also critical to
establish a baseline and create a mechanism for periodic review and reporting, in order to
institutionalize such practices.

2 Purpose
 This document sets out the minimum requirements that shall be complied with to protect the
Confidentiality, Integrity, and Availability of information and technology assets by adopting
global best practices and local information security legislations.
 Decision No. 27/2021 Issuing the Regulation for Public Joint Stock Companies state :

Article (161): The roles and responsibilities of the internal auditor shall include but not be
limited to the following:
11. Review the information security system and control system, including applications control
system and the database management system to protect the security, integrity and
confidentiality of the company’s data.

Article (164): A risk-based internal audit plan for the year shall be prepared by the internal
audit unit before the commencement of the year, and shall be approved by the audit
committee. The plan should include:

Official Page 3 of 11
 Information Security Guidelines

2. The plan shall reasonably cover all business processes as per the risk assessment and
professional judgement of the internal audit unit and shall also ensure that the following
department/business processes are covered at least once every year:

(f) Review of the automated internal controls including the information security and integrity
of the company’s information technology systems and databases.

 In case, the SAOG company has already established a specific Risk Management
Committee of the Board or in future, it establishes such a committee, the information
security function should report to such committee either directly or through the
appointed Risk Manager (if any), instead of reporting to the Internal Auditor.
 The information security function must be organized in a manner that is independent of
enterprise IT. It should have the authority to decide on information security measures to
be implemented by the company. The Internal Auditor should review and oversee the
implementation. The overall supervision shall rest with the Audit / Risk Management
Committee of the Board.
 The Executive Management must provide the necessary support for establishing the
company’s policies, procedures to comply with these guidelines.
 The Audit / Risk Management Committee of all listed companies shall establish a
mechanism to verify the effective implementation of the policies and procedures in each
quarter and a line in confirmation of compliance of these guidelines shall be carried in
the Annual Report of each year.

2.1 Scope of Applicability

SAOG companies that are listed on Muscat Securities Exchange (MSX) (Listed Companies
for short) must implement this guideline as minimum requirements. If the listed company
is also required to follow any other guideline or requirement on this topic, specified by its
sector regulator or any other competent authority, it should implement both set of
requirements in a harmonious way. If however, the requirements are in conflict with each
other, the requirements specified by its sector regulator or any other competent authority
shall be implemented whereas a written record explaining the reasons for deviating from
these guidelines shall be maintained with an intimation to the Board of Directors of the
company.

Official Page 4 of 11
 Information Security Guidelines

3 How to use these Guidelines

Concerned executives in the listed companies are expected to read and understand these
guidelines. They must also carry out a thorough gap analysis between these Guidelines and their
current framework, if any. Each listed company shall create its own policies and procedures in
line with these guidelines and according to their business requirements and ISMS standards.

4 Organization Structure and Responsibilities of Information Security

 Listed companies shall have dedicated information security staff in the form of a designated
role, section, and/or department, or as deemed appropriate.
 The responsibilities shall include planning, implementation, periodic assessment, and any
other activities related to the management and execution of the Information Security
Management System (ISMS) and its security controls in terms of people, process, and
technology. The Listed Company’s Executive Management shall ensure resource provision and
compliance with these information security guidelines.

5 Information Security Management System

The Listed Company shall ensure adopting a robust and prudent ISMS standard that is
commensurate with the business nature to ensure utmost protection of Confidentiality, Integrity
and Availability of the information assets, and in line with the section (8) headed “Risk
Assessment and Treatment” in this document.

6 Local and International Regulatory Compliance

6.1 Local Statutory Compliance and Regulations
Listed companies shall ensure compliance with all applicable laws and regulations
including, without limitation, those issued by:
a) Authority for Public Services Regulation;
b) Center of Cyber Defense;
c) Central Bank of Oman (CBO);
d) Capital Market Authority;
e) Ministry of Transport, Communications, and Information Technology (MTCIT);
f) Ministry of Commerce, Industry and Investment Promotion;
g) National Records and Archives Authority (NRAA); and
h) Telecommunication Regulation Authority (TRA).

Official Page 5 of 11
 Information Security Guidelines

6.2 Industry Specific Requirements

Listed Companies shall ensure complying with all applicable industry-specific requirements
including, without limitation:
a) Industrial Control System (ICS) / Supervisory Control and Data Acquisition (SCADA)
b) SWIFT Customer Security Program (SWIFT CSP)
c) Payment Card Industry Data Security Standard (PCI-DSS)
d) International Civil Aviation Cyber Security Strategy

7 Minimum Information Security Controls

Without prejudice to the requirements set out in the section (6) headed “Local and International
Regulatory Compliance”, Listed Companies shall adhere to the following controls as minimum
information security controls for management and protection of Confidentiality, Integrity, and
Availability of information and technology assets. These controls shall not absolve any Listed
Company from adopting an international ISMS standard for its Information Technology (IT),
Operational Technology (OT) and/or ICS environments. However, the Listed Companies shall
ensure the information security controls align with its operational needs based on its Risk
Assessments.

7.1 Access Control Policy

 Listed companies shall have an access control policy that covers how new users are
authorized and granted appropriate privileges, as well as how these are reviewed and
revoked when necessary. It shall also include appropriate controls to prevent users
obtaining unauthorized privileges or access.
 The access control policy shall include but not limited to:
 Access to network and network services
 Access to organization systems and applications
 Authentication and Authorizations.

7.2 Password Management

Listed Companies shall have appropriate password management policy in place. Password
policy is a set of rules designed to enhance computer security by encouraging users to
employ strong passwords and use them appropriately.

7.3 Log Management

Listed Companies shall establish, maintain, and process log management as per the
adopted ISMS framework and in line with applicable regulatory and legal requirements.

Official Page 6 of 11
 Information Security Guidelines

7.4 Data Privacy

Listed Companies shall take utmost measures to protect the privacy of Personally
Identifiable Information (PII) aligned with applicable local and international data protection
laws and regulatory requirements.
7.5 Cryptography
Listed Companies shall implement cryptography to ensure Confidentiality, authentication,
Integrity and nonrepudiation of sensitive/classified information while it is stored (at rest),
existing in memory (in use) and traveling across the network (in transit).

7.6 Data Hosting

 Listed Companies shall adhere to the rules and regulations applicable in Oman,
regarding data hosting.


7.7 Information Security Requirements in Contracts

Listed Companies shall ensure the contractual terms and conditions governing the roles,
relationships, obligations, and responsibilities of all contractors, third parties and service
providers in relation to information security shall be set out fully in written agreements.
Generally, the contract shall, at a minimum, include the following information security
requirements:
a) Non-disclosure clauses and secure removal of Listed Companies' data by contractors,
third parties and service providers upon Listed Companies' request or the end of
service;
b) Communication procedures in case of cybersecurity incidents; and
c) Requirements for contractors, third parties and service providers to comply with
related Company Policies and Procedures and applicable laws and regulations.

7.8 Physical and Environment Security

 Listed Companies shall ensure there are adequate measures to prevent unauthorized
physical access, damage and interference to companies’ information and information
processing facilities, and to prevent loss, damage, theft or compromise of assets and
interruption to companies’ operations.
 The measures shall include but not limited to:
 Physical security perimeters and security controls;
 Protecting against external and environmental threats;
 Unattended user equipment policy;

Official Page 7 of 11
 Information Security Guidelines

 Clear desk and clear screen policy.

7.9 Personal Security
Listed companies shall have a defined policy and procedures for handling Personnel
Security. Security controls should be implemented for all stages of employment that
includes screening process, Transfer from one unit to another inside the organization to
termination of the staff.

7.10 Media Protection and Removable Media Policies

Listed companies shall have defined policy and procedures for handling media and
removable media. Except for backups, user shall be prohibited from copying, moving or
storing sensitive data on local hard drives and removable media

7.11 Incident Management

Listed Companies shall comply with applicable regulatory standards, adopt best
practices, establish necessary technical measures and proper safeguards to manage,
detect, and respond to any security incidents and shall ensure that:
a) Incident response management and response plans shall be designed to allow
rapid response to all levels, including escalation criteria that align with its criticality
classification.
b) In the case of loss of financial assets, PII, or any other information covered under
an applicable data protection regulation, Listed Companies shall communicate to
the affected parties within appropriate time standards as required by the
regulators or applicable data protection laws.
c) In the event of any major incident that can have any effect on the price of the
securities issued by any company that is listed on MSX, the company must make the
necessary and adequate disclosures as required under the Capital Market Law and its
Executive Regulations.

7.12 Business Continuity and Disaster Recovery Plans

 Listed Companies shall establish a Business Continuity Plan (BCP) and Disaster
Recovery Plan (DRP) to ensure that corporate information assets are protected and
can resume function quickly in the event of a disaster. The BCP/DRP shall be in line
applicable Policies and Guidelines relating to Business Continuity Management
(BCM).
 Listed Companies shall, at a minimum, conduct a disaster recovery test annually and
need-based disaster recovery tests whenever there are changes in the process,
environment, technology, or organization.

Official Page 8 of 11
 Information Security Guidelines

8 Risk Assessment and Treatment

 Listed Companies shall conduct information security Risk Assessments, in accordance with
applicable Policies and Guidelines relating to risk management, to assist in making well-
informed, risk-based information security and cybersecurity decisions. The information
security Risk Assessment process must be designed to evaluate information security risks
while aligning with the overall corporate risk objectives.
 Listed Companies shall, at a minimum, conduct an annual Risk Assessment and need-based
Risk Assessment whenever there are changes in the process, environment, technology, or
organization.
 The Risk Assessment observations shall be reported to the Risk Committee or if there is no
Risk Committee, to the Audit Committee of the board of directors of the listed company.

9 Information Security Awareness and Training Program

Listed Companies shall formalize a plan to provide ongoing information security awareness and
training sessions to new and existing staff on information security best practices to ensure they are
knowledgeable and aptly trained for their specific information security roles and functions. The
sessions shall also cover tackling the anticipated effect(s) of potential cyber threats and data breaches.
The listed companies shall also conduct regular cyber drills to enhance cyber capabilities within the
organization and to develop and implement operational procedures to respond better to various cyber
incidents.

10 Monitoring, Assessment and Compliance

10.1 Monitoring and Detection Process
Listed Companies shall have the necessary systems that monitor the environment for cyber
threats. These security systems should provide the Listed Companies with the ability to
take proactive and reactive responses to security threats. Where these systems are
outsourced, the Listed Companies needs to ensure compliance with any related local
regulatory guidelines.

10.2 Information Security Posture Assessment

 Listed Companies shall conduct a periodic information security assessment of all
systems, applications, networks, electronic websites, databases, and physical security

Official Page 9 of 11
 Information Security Guidelines

systems, people, and processes to identify and address security vulnerabilities and
sources of information security threats on a timely basis.
 Information security assessments and testing shall, at a minimum, be carried out
annually or more frequently whenever changes are made that could have an impact
on the business or perceived threats.
 The information security assessments shall detect any anomalies by carrying out
vulnerability assessments and penetration tests that replicate current attacks,
considering the size and complexity of Listed Companies’ business nature and the risk
exposures.
 The information security assessments and testing shall also include, but not be limited
to (as applicable):
a) Regular vulnerability hardware and software scans and testing for client, server,
and network infrastructure to identify security control gaps;
b) Regular penetration testing of the network boundary (e.g., open network entry
and exit points) to identify security control gaps; and
c) Regular Vulnerability Assessment and Penetration Testing (VAPT) with an
independent third-party provider.

11 Data Classification
 All Listed Companies should comply with data classification laws and legislations, especially
those issued by the NRAA and MTCIT.
 Identify sensitive data elements within data fields.
 Determine classification and mechanism of data encoding according to level of importance.
 Identify privacy of data and information.
 Create centralized platform for managing and controlling changes and providing access to
sensitive data assets.
 Specify mechanism to measure level of data protection.
 Identify and implement workflow plans of governance structure and key data elements and
fields.
 Observe, monitor, and report workflow procedures.

12 Data Leakage
Listed Companies shall commit to implement strict controls and preventive measures to prevent
unauthorized data sharing/transfer intentionally by malicious insiders or unintentionally /
accidentally.

Official Page 10 of 11
 Information Security Guidelines

13 Website Security Guidelines

1. All website need to undergo a security penetration testing.
2. Websites must clear Security Audit by certificate agency and must have a Security Policy.
3. User appropriate security protocols for session management after the initial authentication.
4. When an application is sending sensitive data over the air/wire, enforce the use of end-to-end
secure channel (SSL/TLS).

5. Sensitive data storage should always be encrypted, as should the cached data.

14 Mobile App Security Guidelines

1. All Mobile applications need to undergo a security penetration testing.
2. Handling of sensitive data or issues of sharing of private information should be considered and
security measures should be put in place and use appropriate security protocols for session
management after the initial authentication.
3. Wherever possible, store sensitive data on a server rather than the mobile device.
4. If data storage on the device is necessary use file encryption APIs provided by the operating
system or another trusted source.
5. Sensitive data storage should always be encrypted, as should the cached data.
6. Use dual-factor authentication via One Time Password (OTP), SMS or email, if appropriate.
7. If necessary, use context data to add further security to authentication (e.g. location)
8. When the data is highly sensitive, put an added level of authentication in place depending on
the service. (e.g. fingerprint, voice).

15 Other Useful Resources

Entities should also ensure compliance with the applicable following guidelines
• Cyber Crime Law
• Database Security Standards
• ICT Remote Access policy
• Information Security Management Framework
• Refer to Omanuna portal (https://oman.om/wps/portal/index/strategiesandpolicies) for
other relevant policies and Guidelines.

//The End//

Official Page 11 of 11