Charter– Information

Security Organizational
Charter
Information Security Department,
<Bank Name>
<Address>
 DOCUMENT DETAILS

DOCUMENT STAKEHOLDERS

ROLE ASSIGNEE(S)

Approver

Owner

Custodian

VERSION
HISTORY

DOCUMENT VERSION COMMENTS DATE

– InternalPage 2 | 25
 TABLE OF CONTENTS

1 INTRODUCTION 4
1.1 PURPOSE 4
1.2 SCOPE 4
2 CHARTER DETAILS 4
2.1 INFORMATION SECURITY COMMITTEE 4
2.2 SENIOR MANAGEMENT 4
2.3 CHIEF SECURITY OFFICER 5
2.4 INFORMATION SECURITY DEPARTMENT (INFOSEC) 6
2.5 INFORMATION TECHNOLOGY GROUP (ITG) 11
2.6 ITG–TELECOMS SERVICES DEPARTMENT 12
2.7 ITG–USER ACCESS MANAGEMENT 13
2.8 ITG–TECHNICAL SUPPORT 14
2.9 ITG–APPLICATIONS DEVELOPMENT 14
2.10 ITG–APPLICATIONS SUPPORT 15
2.11 ITG–SYSTEMS AND DATA SERVICES 15
2.12 ITG–SERVICE DESK 16
2.13 OWNERS OF INFORMATION ASSETS 16
2.14 CUSTODIAN OF INFORMATION ASSETS 16
2.15 INTERNAL AND EXTERNAL AUDITOR 17
2.16 INFORMATION USERS 17
3 APPENDIX 18
3.1 RACI MATRIX 18
3.2 RELATED DOCUMENT(S) 25

– InternalPage 3 | 25
1 Introduction
1.1 PURPOSE
The purpose of this charter is to define the various security roles and responsibilities within <Bank Name>,
its controlled subsidiaries and affiliates. By clearly defining roles and responsibilities relating to
information security, <Bank Name> can ensure that responsible and accountable protection of information
assets occurs.

1.2 SCOPE
This Charter applies to:
• <Bank Name>, its controlled subsidiaries and affiliates collectively referred to as <Bank Name>.
• All <Bank Name> staff including employees, insource, outsource, temporary and third-party employees.
• All information assets hosted, processed, or managed by <Bank Name> or authorized third parties.

2 Charter Details
2.1 INFORMATION SECURITY COMMITTEE
The InfoSec Committee (ISC) is a cross-functional committee, mandated by the board. An independent
senior management member from a control function should head ISC committee.
The ISC committee should have representation from business departments, relevant control functions and
internal audit as an observer.

Responsibilities

2.1.1.1 Review and assist information security strategy to align with bank strategic objectives.

2.1.1.2 Facilitate information security to approve and implement information security policy, Information security
architecture and security initiatives.

2.1.1.3 Oversight emerging risk on bank information assets.

2.1.1.4 Support information security to overcome non– compliance issues.

2.1.1.5 Review and advice on the adequacy of security initiatives to serve business functions.

2.1.1.6 Ratify goals for <Bank Name> wide information security program.

2.1.1.7 Communicate and facilitate information security needs and sound practices between <Bank Name>
departments and other committees, and <Bank Name> strategic initiatives.

2.1.1.8 Review the performance and effectiveness of the information security program.

2.1.1.9 Ensure <Bank Name>’s information security risk appetite periodically monitored, reviewed and
communicated upon or material change in the risk appetite.

2.2 SENIOR MANAGEMENT

Responsibilities

2.2.1.1 Ensuring that standards, processes and procedures reflect security requirements if applicable.

– InternalPage 4 | 25
2.2.1.2 Ensuring that individuals accept and comply with the information security policy, supporting standards and
procedures when they are issued and updated.

2.2.1.3 Ensuring that information security responsibilities are incorporated in the job descriptions of key positions
and information security staff.

2.3 CHIEF SECURITY OFFICER

Role
The Chief Security Officer (CSO) plans, direct and mange overall information security and business protection in
the bank envisioning and taking steps to implement security controls needed to protect all <Bank Name>.

Responsibilities

2.3.2.1 Ensure developing and maintenance of Cyber security strategy, Cyber security policy, Cyber security
architecture, and Cyber security risk management process.

2.3.2.2 Ensuring that detailed security standards and procedures are established, approved and implemented.

2.3.2.3 Ensure pertinent risk-based cyber security solutions are implemented which facilitate people, process and
technology.

2.3.2.4 Ensure cyber security staff are delivering cyber security solutions in a business context.

2.3.2.5 Ensure the following cyber security activities are staffed and appropriately managed
• Monitoring of the cyber security activities (CSC monitoring);
• Monitoring of compliance with cyber security regulations, policies, standards and procedures;
• Overseeing the investigation of cyber security incidents;
• Gathering and analyzing threat intelligence from internal and external sources;
• Performing cyber security reviews;

2.3.2.6 Ensure cyber security risk assessments are conducted according to <Bank Name> information assets.

2.3.2.7 Ensure the following are staffed and appropriately supported

• Performing information and system classifications;
• Determining cyber security requirements for important projects;
• Performing cyber security reviews.

2.3.2.8 Ensuring cyber security awareness programs are defined and conducted;

2.3.2.9 Ensure cyber security metrics are measured and reported on cyber security strategy, cyber security policy,
standards, procedures compliance, and Cyber security programs (e.g., awareness program, data
classification program, key cyber security improvements).

2.3.2.10 Ensure security-related skills training provided to <Bank Name> staff relevant functional area categories in
line with their job descriptions, including key roles within the bank; information security staff; staff
involved in developing and maintaining information assets; staff involved in risk assessments.

2.3.2.11 Ensure data privacy and data protection requirements defined, approved and communicated.

– InternalPage 5 | 25
2.4 INFORMATION SECURITY DEPARTMENT (INFOSEC)
Cyber Security Governance and Strategy
2.4.1.1 Information Security Policy
2.4.1.1.1 Ensure information security policies, standards and procedures defined, approved and communicated.
2.4.1.1.2 Ensure information security policies, standards and procedures reviewed periodically according to a
predefined and structured review process.
2.4.1.1.3 Ensure information security policies, standards and procedures aligned with applicable regulatory and
contractual obligations.
2.4.1.1.4 Maintain the ISMS to conform to ISO27001 and to meet annual certification.
2.4.1.1.5 Ensure that security baselines are in place and maintained.

2.4.1.2 Information Security Strategy

2.4.1.2.1 Ensure information security strategy defined, approve and implemented.
2.4.1.2.2 Ensure information security strategy aligned with bank strategic objectives.
2.4.1.2.3 Monitoring the effectiveness of information security strategy.
2.4.1.2.4 Periodic review of the information security strategy.

2.4.1.3 Identity and Access Management

2.4.1.3.1 Ensure access to information is provided based on need-to-have and need-to-know.
2.4.1.3.2 Review of various user access rights and profiles to ensure the compliance with the access control policy.
2.4.1.3.3 Ensure Identity Management solution implemented to automate, centralize user access and individual
accountability maintained.
2.4.1.3.4 Monitoring the effectiveness of identity and access management.

2.4.1.4 Information Security Awareness

2.4.1.4.1 Ensure information security awareness program is defined, approved and conducted for various user types
and customers to promote positive cyber security culture.
2.4.1.4.2 Ensure information security awareness program is tailored according to cyber security behaviors of various
target audience groups.
2.4.1.4.3 Develop and maintain a bank-wide information security awareness program to address the different target
audience groups through multiple channels.
2.4.1.4.4 Ensure information security awareness program is tailored to relevant emerging cyber security events and
cyber threats.
2.4.1.4.5 Ensure recommendations from various user types are captured to improve the cyber security awareness
program.
2.4.1.4.6 Ensure the effectiveness of information security awareness program is measured through security metrics.

2.4.1.5 Information Security Architecture

2.4.1.5.1 Ensure information security architecture defined, approve and implemented.
2.4.1.5.2 Monitoring the effectiveness of information security architecture.
2.4.1.5.3 Periodic review of the information security architecture.

– InternalPage 6 | 25
2.4.1.5.4 Ensure information security architecture aligned with business requirements, service capabilities and cyber
security controls.
2.4.1.5.5 Ensure qualified cyber security architects to maintain information security architecture.

2.4.1.6 Data Privacy and Data Protection

2.4.1.6.1 Ensure data privacy and data protection framework defined, approve and implemented.
2.4.1.6.2 Monitoring the effectiveness of data privacy and data protection framework.
2.4.1.6.3 Periodic review of the data privacy and data protection framework.
2.4.1.6.4 Ensure qualified data privacy personnel to maintain data privacy and data protection.

2.4.1.7 Cyber Security Supply Chain

2.4.1.7.1 Create, manage, execute and monitor information security projects.
2.4.1.7.2 Manage budget, spending and cost of information security program.
2.4.1.7.3 Manage, track and update all IS contracts with the companies. Also, manage the business relations and
administration with the related processes.
2.4.1.7.4 Build and enhance information security vendor database and selection criteria in regular basis.
2.4.1.7.5 Ensure information security requirements are defined, approved, implemented and communicated within
the contract and vendor management processes.
2.4.1.7.6 Ensure information security requirements for outsourcing defined, approved, implemented and
communicated within <Bank Name>.

2.4.1.7.7 Ensure effectiveness of information security requirements within outsourcing process reviewed and
measured periodically.

2.4.1.8 Human Resources

2.4.1.8.1 Ensure information security requirements addressed in human resources process to ensure that
information security risks identified and addressed.
2.4.1.8.2 Ensure information security compliance reviews performed for <Bank Name>’s information asset management.

2.4.1.8.3 Ensure effectiveness of information security requirements within <Bank Name>’s human resources
process reviewed and measured periodically.

– InternalPage 7 | 25
 Cyber Security Risk and Compliance Management
2.4.2.1 Information Security Risk Management

2.4.2.1.1 Ensure information security risk management process defined, approved, communicated, and
implemented.
2.4.2.1.2 Ensure Information security risk management process address <Bank Name> information assets,
including (but not limited to), Business processes; Business applications; Infrastructure components.
2.4.2.1.3 Conduct risk assessment for all new projects, initiatives and design security requirements and controls.
2.4.2.1.4 Annual review and penetration tests conducted for customer and internet facing services.
2.4.2.1.5 Maintain risk register, track and manage all identified Information security risks. Evaluate report and act
on threats and vulnerabilities.
2.4.2.1.6 Provide interactive security risk and privacy consultancy to all business and IT areas.

2.4.2.1.7 Maintain asset register for critical information assets in addition security reviews to be conducted
periodically for critical information assets.
2.4.2.1.8 Conduct penetration testing of Information Assets throughout the bank.

2.4.2.1.9 Maintain penetration test lab with required tools and update them as required. Manage access to
penetration test tools and monitor its proper use.
2.4.2.1.10 As and when authorized by management, monitor exploitation of identified weakness, ensure that
exploitation is controlled activity, and to the extent authorized by management.
2.4.2.1.11 Ensure information security risk appetite and risk tolerance clearly defined and formally approved.

2.4.2.2 Information Security Compliance Management

2.4.2.2.1 Ensure compliance with relevant regulatory requirements affecting cyber security across <Bank Name>.
The compliance reviews performed periodically or when new regulatory requirements become effective.
2.4.2.2.2 Ensure compliance reviews performed against ISMS framework policies, standards and MSBs.
2.4.2.2.3 Ensure suitable representatives from key areas of the bank are involved in compliance review process.

2.4.2.2.4 Ensure information security policy, standards and procedures to accommodate any necessary changes as
applicable.

2.4.2.3 Cloud Computing

2.4.2.3.1 Ensure information security requirements for cloud computing defined, approved, implemented and
communicated within <Bank Name>.

2.4.2.3.2 Ensure effectiveness of information security requirements within cloud computing process reviewed and
measured periodically.
2.4.2.3.3 Ensure compliance reviews performed for information assets that populated in cloud.

– InternalPage 8 | 25
2.4.2.4 Information Security in Project Management

2.4.2.4.1 Ensure information security requirements addressed in <Bank Name>’s initiatives to ensure that
information security risks identified and addressed as part of a project.
2.4.2.4.2 Ensure Information security is part of all phases of the EPM and RFC’s.

2.4.2.5 Secure Disposal of Information Assets

2.4.2.5.1 Ensure information security requirements addressed while disposing information assets are no longer
required.
2.4.2.5.2 Ensure effectiveness of information security requirements within secure disposal of Information assets
process reviewed and measured periodically.

2.4.2.6 Payment Systems

2.4.2.6.1 Ensure information security requirements addressed in <Bank Name>’s payment systems to ensure that
information security risks identified and addressed.
2.4.2.6.2 Ensure information security compliance reviews performed for <Bank Name>’s payment systems.

2.4.2.6.3 Ensure effectiveness of information security requirements within <Bank Name>’s payment systems
process reviewed and measured periodically.

2.4.2.7 Electronic Banking Services

2.4.2.7.1 Ensure information security requirements addressed in <Bank Name>’s electronic banking services to
ensure that information security risks identified and addressed.
2.4.2.7.2 Ensure information security compliance reviews performed for <Bank Name>’s electronic banking services.

2.4.2.7.3 Ensure effectiveness of information security requirements within <Bank Name>’s electronic banking
services process reviewed and measured periodically.

2.4.2.8 Information Asset Management

2.4.2.8.1 Ensure information security requirements addressed in <Bank Name>’s information asset management to
ensure that information security risks identified and addressed.
2.4.2.8.2 Ensure information security compliance reviews performed for <Bank Name>’s information asset management.

2.4.2.8.3 Ensure effectiveness of information security requirements within <Bank Name>’s information asset
management process reviewed and measured periodically.

2.4.2.9 Physical Security Reviews

2.4.2.9.1 Ensure information security requirements addressed in <Bank Name>’s physical security reviews
performed to ensure information security risks identified and addressed.
2.4.2.9.2 Ensure effectiveness of information security requirements over physical security reviewed and
measured periodically.

– InternalPage 9 | 25
 Cyber Security Infrastructure
2.4.3.1 Information Security Infrastructure
2.4.3.1.1 Ensure security infrastructure standards defined, approved and implemented.

2.4.3.1.2 Ensure security infrastructure standards covers all <Bank Name> instances of infrastructure in main
datacenter(s), disaster recovery center(s).
2.4.3.1.3 Ensure security infrastructure components monitored to assure availability, confidentiality and integrity.
2.4.3.1.4 Ensure security infrastructure components administration to assure accountability and availability.
2.4.3.1.5 Ensure security infrastructure components are upgraded or replaced to assure scalability.
2.4.3.1.6 Ensure effectiveness of security infrastructure control reviewed and measured periodically.

2.4.3.1.7 Ensure <Bank Name> operating environment uses approved software and secure protocols; appropriate
controls are in place against malicious code or software.

2.4.3.2 Cryptography

2.4.3.2.1 Ensure cryptographic standards, solutions, encryption keys lifecycle management are defined, approved
and implemented.
2.4.3.2.2 Ensure cryptographic standard covers all <Bank Name> cryptographic infrastructure in main
datacenter(s), disaster recovery center(s).
2.4.3.2.3 Ensure cryptographic devices are monitored to assure availability, confidentiality and integrity.
2.4.3.2.4 Ensure effectiveness of cryptographic standard, solutions reviewed and measured periodically.
2.4.3.2.5 Ensure cryptographic keys managed to ensure accountability and availability.

2.4.3.2.6 Ensure repository of Digital Signature and Digital Key custodian with key management responsibility
(including Key generation, Key issue, Key retirement, maintaining revocation list, etc.) for all digital key
used throughout the bank.
2.4.3.2.7 Ensure repository of Certificate and Certificate custodian with key management responsibility (including
certificate generation, certificate issue, certificate retirement, maintaining revocation list, etc.) for all
certificates used throughout the bank.
2.4.3.2.8 Ensure key management measures undertaken with regard to key management of zones of the bank.

Cyber Security Center (CSC)

2.4.4.1 Security Event Management

2.4.4.1.1 Ensure security event management process, and security event monitoring standard defined, approved
and implemented.
2.4.4.1.2 Ensure effectiveness of cyber security controls within security event management process reviewed and
measured periodically.
2.4.4.1.3 Ensure restricted area to facilitate SOC activities and workspaces.
2.4.4.1.4 Ensure resources required continuous security event monitoring activities (24x7).
2.4.4.1.5 Ensure detection and handling of Security Threats.
2.4.4.1.6 Ensure detection and handling of security alerts or suspicious events and anomalies.
2.4.4.1.7 Ensure security network packet analysis solution monitored.
2.4.4.1.8 Ensure information asset‘s security logs are adequately protected.

– Internal Page 1 0| 2 5
2.4.4.1.9 Ensure automated and centralized analysis of security loggings and correlation of event or patterns (i.e.,
Security Information and Event Management (SIEM)).
2.4.4.1.10 Ensure reporting of cyber security incidents;
2.4.4.1.11 Ensure effectiveness of the security operations center reviewed independently.

2.4.4.2 Security Incident Management

2.4.4.2.1 Ensure security incident management process defined, approved, implemented and aligned with the
enterprise incident management process
2.4.4.2.2 Ensure security incident management process address the mandatory and suspicious security events which
should be responded to.
2.4.4.2.3 Ensure effectiveness of security controls within security incident management process reviewed and
measured periodically.
2.4.4.2.4 Ensure that Incidents assigned to their Support Groups are resolved, service is restored and record the
incident for reviewing.

2.4.4.3 Security Threat Management

2.4.4.3.1 Ensure security threat management process defined, approved, implemented and aligned with the
enterprise Security incident management process
2.4.4.3.2 Ensure security threat management process address the mandatory and suspicious security events which
should be responded to.
2.4.4.3.3 Ensure effectiveness of security controls within security threat management process reviewed and
measured periodically.
2.4.4.3.4 Ensure threat management process takes input from security devices, access control, SIEM and other allied
risk management functions of the bank. Also from external sources such as SAMA, NCA and other
regaluation
2.4.4.3.5 Ensure threat information feeds communicated to relevant external stakeholders such as SAMA and BCIS
members.

2.4.4.4 Vulnerability Management

2.4.4.4.1 Ensure vulnerability management process defined, approved, implemented.
2.4.4.4.2 Ensure effectiveness of vulnerability management process reviewed and measured periodically.

2.5 INFORMATION TECHNOLOGY GROUP (ITG)

Role
The Chief Information Officer (CIO) should understand and be fully committed to the implementation of
the information security policies and standards throughout <Bank Name>.

Responsibilities
ITG must comply with the Bank’s information security policies, standards. Its responsibilities include:

2.5.2.1 ITG must ensure that all security policies and standards relevant to ITG are carried out correctly.

2.5.2.2 ITG Management must ensure that all areas within ITG are subjected to regular review to ensure
compliance with security policies and functional policies.

– Internal Page 1 1| 2 5
2.5.2.3 Information systems must be regularly checked for compliance with information security functional
policies and standards.

2.5.2.4 ITG should take the initiative of considering the information security requirements in all its dealings with
the vendors.

2.5.2.5 ITG should play a proactive role in reporting to InfoSec any gaps in the information security policies and
standards or any violations to these policies and standards.

2.5.2.6 ITG should provide full support for investigations of incidents and implement recommended
countermeasure in a timely manner.

2.5.2.7 ITG will ensure appropriate security skill enhancement training of its staff based on their roles and
responsibility.

2.5.2.8 ITG should ensure the existence of patch management process in-place for all IT environments ITG to
ensure attendance/closure to all findings from vulnerabilities scans reported by InfoSec.

2.5.2.9 ITG should ensure that all newly introduced equipment, systems and software implementations are
deployed with InfoSec signoff.

2.5.2.10 Ensure that all changes released to production are properly tested and documented.

2.5.2.11 Ensure production/real customer data is scrambled for testing purposes, otherwise proper approved
deviation should be submitted.

2.6 ITG–TELECOMS SERVICES DEPARTMENT

Role
The Communications (Data and Voice) and networking function is responsible for implementing
Information Security Policies & Procedures relating to communication systems (including but not limited
to network and telecommunications security, routers, IDS, IPS, firewall, WAN and internet & Intranet
security) and management of network components. This includes ensuring that all IT communication
resources are protected from unauthorized access, initiating corrective measures and reporting security
breaches. ITG-Communication function is the Custodian for network security devices under their
management with advice from InfoSec.

Responsibilities

2.6.2.1 Ensure logical and physical security measures over communication systems (e.g., leased lines, routers,
modems, WAN, Internet, Intranet, firewall, IDS, IPS, etc.).

2.6.2.2 Ensure that all Information communication resources are protected from unauthorized access.

2.6.2.3 Ensure the integrity, confidentiality and availability of data travelling over the communications network.

2.6.2.4 Any changes to firewall rule sets to be performed with proper authorization only. If any unauthorized
changes to rule sets are observed, same has to be reported to InfoSec. Maintain the
approvals/documentation for every changes to rule sets. Provide configurations to Information Security
for their periodic review and rectify the observations (if any) promptly.

2.6.2.5 Review firewall and routers configuration standards in coordination with InfoSec Department.

In establishing such configuration standards, <Bank Name> must assure that these standards address all
known security vulnerabilities and are consistent with industry-accepted system hardening standards as
defined,

– Internal Page 1 2| 2 5
 for example, by “System Administration, Network, Security Institute" (SANS), National Institute of
Standards Technology (NIST), and Center for Internet Security (CIS). Standard should include the following:
2.6.2.5.1 Formal process for approving all external network connections and changes to the firewall configuration

2.6.2.5.2 Requirements for a firewall at each Internet connection and between any demilitarized zone (DMZ) and
the internal network zone
2.6.2.5.3 Firewall Standard
Ensure that every changes to firewall rule set is made with proper approval containing
justifications/documentation especially for opening any risky protocols like ftp.

2.6.2.6 Synchronizes router configuration files. For example, running configuration files (for normal functioning of
the routers), and startup configuration files (when machines are rebooted) should have the same
configurations.

2.6.2.7 Ensures monthly backup of all existing configurations of firewall and routers and store offsite securely.

2.6.2.8 Maintains proper segregation and isolation of network security zone by placing a firewall and router with
appropriate routing and firewall rules.

2.6.2.9 Corrects the identified vulnerabilities in the present communications system

2.6.2.10 Review network logs.

2.6.2.11 Investigates incidents and reports the findings to InfoSec.

2.6.2.12 Ensure that the network O/S is maintained in accordance with the ‘IOS Review procedure ‘ as published by
ITG /Telecoms.

2.6.2.13 Maintain firewall and routers configuration as per <Bank Name> standards and maintain appropriate
documentation including:
2.6.2.13.1 Changes to the firewall, router and security devices (like IDS, IPS) configuration
2.6.2.13.2 A current network diagram (includes but not limited to cardholder data) including any wireless networks
2.6.2.13.3 Description of groups, roles, and responsibilities for logical management of network components
2.6.2.13.4 Ensure only approved services/ports opened or used both inbound and outbound.
2.6.2.13.5 Ensure up to date and current configuration of firewall and routers after applying standards as agreed
upon with Information Security.

2.6.2.14 Participate in testing and releasing and applying security patches to all network and security devices.

2.6.2.15 Support Information Security in conducting the investigations of incidents by providing required technical
support and infrastructure.

2.7 ITG–USER ACCESS MANAGEMENT

Role
Centralized custodian and controller of all logical access control in the <Bank Name>.

Responsibilities

2.7.2.1 Own all logical access to systems, database, applications and assign to various users as per business
requirement / Owner’s mandate.

– Internal Page 1 3| 2 5
2.7.2.2 Participate in technical standards sign-off as applicable and user access security parameter sign-off.

2.7.2.3 User access provisioning/DE provisioning of logical user access for applications, databases and systems.

2.7.2.4 Manage user access request forms and approval workflow system.

2.7.2.5 Profiles configuration in accordance to defined, documented and approved user profiles.

2.7.2.6 Credential reset and user unlock requests.

2.7.2.7 Cleanup and revocation of user access for terminated staff.

2.7.2.8 Configuration of security parameters in accordance with security standard and baseline.

2.7.2.9 Provide application support to ensure that policies and procedures for granting, changing and deleting
access on a “need to know and need to do basis"

2.7.2.10 Ensure access to application programs and or files and other sensitive system files is appropriately restricted.

2.8 ITG–TECHNICAL SUPPORT

Role
The Technical support function is primarily responsible for implementing IT Security Policies & Standards
relating to desktops at branches, Head Office and other offices of <Bank Name>. This includes enforcing
logical and physical security measures, initiating protective and corrective measures if a security problem
is discovered and reporting security breaches to the InfoSec. It shall act as the custodian for the
Information Security to implement the Information Security Policies and Standards at branch and offices of
<Bank Name>.

Responsibilities

2.8.2.1 Ensure that access to network and shared resources is duly authorized.

2.8.2.2 Ensure that user privileges at the LAN/WAN level are based on a “need to know/ need to do” basis.

2.8.2.3 Review to ensure that physical and logical security standards related to desktop security are being
followed (e.g., procedures to maintain inventory of computer equipment, virus protection procedures,
license monitoring procedures, use of screen saver and BIOS passwords, etc.).

2.8.2.4 Support Information Security in conducting the investigations of incidents by providing required technical
support and infrastructure.

2.8.2.5 Participate in testing and releasing and applying security patches to all systems and local security devices.

2.9 ITG–APPLICATIONS DEVELOPMENT

Role
The Business Applications Development Function is primarily responsible for implementing IT Security
Policies & Standards relating the development of various business application systems, and core business
systems and other key applications under its custody. This includes enforcing development-related logical
security measures over these application systems, initiating protective and corrective measures if a
security problem is discovered and reporting security breaches to the Information Security Department.

Responsibilities

2.9.2.1 Enforce implementation of IT Security Policies and Standards relating to application systems development.

– Internal Page 1 4| 2 5
2.9.2.2 Enforce logical security measures over applications and support systems under its custody (e.g., interfaces,
applications, etc.) as per Information Security Policy and Standards.

2.9.2.3 Initiate protective and corrective measures if a security problem is discovered.

2.9.2.4 Ensure that role privileges are commensurate with the job roles & responsibilities as mandated by system
or application owner from application design and development perspective.

2.9.2.5 Ensure protocols, services and ports required by the application and system is fully documented.

2.9.2.6 Adhere to approved release and change management process.

2.9.2.7 Ensure that application security features used are documented. (Like encryption used, digital signature or
keys used and protection of parameter files).

2.10 ITG–APPLICATIONS SUPPORT

Role
The Business Applications Support Function is primarily responsible for implementing IT Security Policies &
Standards relating various application systems, databases and core business systems and other key
applications. This includes enforcing logical security measures over these application systems, initiating
protective and corrective measures if a security problem is discovered and reporting security breaches to
the Information Security Department.

Responsibilities

2.10.2.1 Enforce implementation of IT Security Policies and Standards relating to application systems.

2.10.2.2 Enforce logical security measures over applications and support systems (e.g. databases, interfaces,
applications, etc.)

2.10.2.3 Initiate protective and corrective measures if a security problem is discovered.

2.10.2.4 Adhere to approved release and change management process.

2.10.2.5 Participate in testing, releasing and applying security patches to applications.

2.11 ITG–SYSTEMS AND DATA SERVICES

Role
System and Database Administration Function are designated to maintain, operate and implement
technology platforms and solutions for <Bank Name>.

Responsibilities
System and Database Administration Function are responsible for:

2.11.2.1 Deploying and implementing security controls on all Systems and databases Communicating security-
related incidents and issues to <Bank Name>’s Information Security Department

2.11.2.2 Support Information Security Department in conducting the investigations of incidents by providing
required technical support and infrastructure.

2.11.2.3 Participate in testing, releasing and applying security patches to systems and databases.

– Internal Page 1 5| 2 5
2.12 ITG–SERVICE DESK
Role
Act as a primary contact to information users to report events/incidents, classify them and escalate to the
appropriate team such as Technical Support, Monitoring or Information Security Department, as needed.

Responsibilities

2.12.2.1 Log all incidents reported by the users.

2.12.2.2 Classify security events and escalate them to Technical Support Function, Monitoring Function or
Information Security Department depending on severity levels.

2.12.2.3 Generate a report of security incidents, when reported, and forward to Information Security Department.

2.12.2.4 Ensure that all incidents are properly documented and closed.

2.13 OWNERS OF INFORMATION ASSETS

Role
Ultimate ownership of information assets lies with the Business owner. Therefore Business owner is
responsible for classifying, assigning partial responsibilities to appropriate custodians, oversee the security
responsibilities of their Assets.

Responsibilities

2.13.2.1 Ensure information assets classified as per information classification standard and periodically reviewed.

2.13.2.2 Ensure access to Information assets given to users as per “Need to know” and “Need to do basis”.

2.13.2.3 Ensure one or more custodians delegated and specific responsibilities assigned.

2.14 CUSTODIAN OF INFORMATION ASSETS

Role
A Custodian is any employee, vendor, contractor, or other authorized person who has the responsibility
for maintaining and/or supporting information assets.

Responsibilities

2.14.2.1 Custodian inherits owner’s responsibilities except asset classification.

2.14.2.2 Custodian to provide service levels as assigned by the owner in determining technical, operational
solutions and operationally.

2.14.2.3 Custodians to ensure they review and agree security responsibilities of Information Assets over
confidentiality, availability and integrity.

– Internal Page 1 6| 2 5
2.15 INTERNAL AND EXTERNAL AUDITOR
Role
The role of internal and external auditors is to provide independent information security assessments /
reviews / audits according to generally accepted auditing standards and SAMA cyber security framework.

Responsibilities

2.15.2.1 Ensure information security audits performed according to <Bank Name>’s audit manual and audit plan.

2.15.2.2 Ensure audit engagements not to disrupt / impact bank’s system function and process during the course of
audit engagements.

2.16 INFORMATION USERS

Role
An Information User is any employee, vendor, contractor, or other authorized person who accesses the
information in the course of their daily work.

Responsibilities

2.16.2.1 Ensure Information Security policy, procedures and standards adhered.

2.16.2.2 Ensure information security incidents reported on time.

2.16.2.3 Ensure <Bank Name> information assets used according to <Bank Name>’s acceptable usage policy.

– Internal Page 1 7| 2 5
3 Appendix
3.1 RACI MATRIX
Accountable: This role will be called to account if the risks materialize (usually because preventive controls
fail): it is generally the budget holder, who delegates the work to those responsible, who
sign off (approve) work that responsible provides
Responsible: This role has primary responsibility for performing the activities in this section.
Consulted: This is a hands-off role, offering guidance and direction to those more actively involved, Subject
matter expert.
Informed: This role has an interest in the status of the risks in this section and should be kept in touch
with developments.

Information Security Department (InfoSec)

Cyber
Cyber Cyber
Informatio
n Security Cyber Cyber
Statement Senior
Management Governanc
Security
Risk and
Security
Supply

Security CSO ITG e Security Security

Infrastructur
Complianc
Committee and e Center
e Chain
Strategy

2.2.1.1 A R R R R R C R R
2.2.1.2 A R R R R R C R R
2.2.1.3 A R R I C I I I I
2.2.1.4 A R R I R R R C R
2.2.1.5 A R R I C C C C C
2.2.1.6 A R R R R R R C R
2.2.1.7 A R R I I I I C I
2.2.1.8 A R R C R I I C I
2.2.1.9 A R R C R I I C I

2.3.1.1 A R R C I I I C I
2.3.1.2 A R R C I I I C I
2.3.1.3 A R R C I I I C I

2.4.2.1 C R A R R R R R R
2.4.2.2 C R A C C C C C C
2.4.2.3 C R A R R R R R R
2.4.2.4 C R A I I I C C I
2.4.2.5 C R A R R R R R R
2.4.2.6 C R A I I I I I R
2.4.2.7 C R A I I C I I R
2.4.2.8 C R A I I C I I R
2.4.2.9 C R A I I C I I R
2.4.2.10 C R A I I C I I R

– Internal Page 18 | 25
 2.4.2.11 C R A I I C I I R

2.5.1.1.1 I R A I R C C C C
2.5.1.1.2 I R A I R C C C C
2.5.1.1.3 I R A I R C C C C
2.5.1.1.4 I R A I R C C C C
2.5.1.1.5 I R A I R C C C C
2.5.1.1.6 I R A I R C C C C

2.5.1.2.1 I R A I R C C C C
2.5.1.2.2 I R A I R C C C C
2.5.1.2.3 I R A I R C C C C
2.5.1.2.4 I R A I R C C C C

2.5.1.3.1 I R A I R C C C C
2.5.1.3.2 I R A I R C C C C
2.5.1.3.3 I R A I R C C C C
2.5.1.3.4 I R A I R C C C C
2.5.1.3.5 I R A I R C C C C
2.5.1.3.6 I R A I R C C C C
2.5.1.3.7 I R A I R C C C C
2.5.1.3.8 I R A I R C C C C
2.5.1.3.9 I R A I R C C C C
2.5.1.3.10 I R A I R C C C C

2.5.1.4.1 I R A I R C C C C
2.5.1.4.2 I R A I R C C C C
2.5.1.4.3 I R A I R C C C C
2.5.1.4.4 I R A I R C C C C
2.5.1.4.5 I R A I R C C C C
2.5.1.4.6 I R A I R C C C C

2.5.1.5.1 I R A I R I C I I
2.5.1.5.2 I R A I R I C I I
2.5.1.5.3 I R A I R I C I I
2.5.1.5.4 I R A I R I C I I
2.5.1.5.5 I R A I R I C I I

2.5.1.6.1 I R A I R C I I I
2.5.1.6.2 I R A I R C I I I
2.5.1.6.3 I R A I R C I I I
2.5.1.6.4 I R A I R C I I I

– Internal Page 19 | 25
2.5.1.7.1 I R A I C C C R C
2.5.1.7.2 I R A I C C C R C
2.5.1.7.3 I R A I C C C R C
2.5.1.7.4 I R A I C C C R C
2.5.1.7.5 I R A I C C C R C
2.5.1.7.6 I R A I C C C R C
2.5.1.7.7 I R A I C C C R C

2.5.1.8.1 I R A I R C C C C
2.5.1.8.2 I R A I R C C C C
2.5.1.8.3 I R A I R C C C C

2.5.2.1.1 I R A I C R C C C
2.5.2.1.2 I R A I C R C C C
2.5.2.1.3 I R A I C R C C C
2.5.2.1.4 I R A I C R C C C
2.5.2.1.5 I R A I C R C C C
2.5.2.1.6 I R A I C R C C C
2.5.2.1.7 I R A I C R C C C
2.5.2.1.8 I R A I C R C C C
2.5.2.1.9 I R A I C R C C C
2.5.2.1.10 I R A I C R C C C
2.5.2.1.11 I R A I C R C C C

2.5.2.2.1 C A R R C R C C C
2.5.2.2.2 C A R R C R C C C
2.5.2.2.3 C A R R C R C C C
2.5.2.2.4 C A R R C R C C C

2.5.2.3.1 C A R R C R C C C
2.5.2.3.2 C A R R C R C C C
2.5.2.3.3 C A R R C R C C C

2.5.2.4.1 C A I I C R C C C
2.5.2.4.2 I R A I C R C C C

2.5.2.5.1 I R A I C R C C C
2.5.2.5.2 I R A I C R C C C

2.5.2.7.1 I R A I C R C C C

– Internal Page 20 | 25
2.5.2.7.2 I R A I C R C C C
2.5.2.7.3 I R A I C R C C C

2.5.2.8.1 I R A I C R C C C
2.5.2.8.2 I R A I C R C C C
2.5.2.8.3 I R A I C R C C C

2.5.2.9.1 I R A I C R C C C
2.5.2.9.2 I R A I C R C C C

2.5.3.1.1 I R A I C C R C C
2.5.3.1.2 I R A I C C R C C
2.5.3.1.3 I R A I C C R C C
2.5.3.1.4 I R A I C C R C C
2.5.3.1.5 I R A I C C R C C
2.5.3.1.6 I R A I C C R C C
2.5.3.1.7 I R A I C C R C C

2.5.3.2.1 I R A I C C R C C
2.5.3.2.2 I R A I C C R C C
2.5.3.2.3 I R A I C C R C C
2.5.3.2.4 I R A I C C R C C
2.5.3.2.5 I R A I C C R C C
2.5.3.2.6 I R A I C C R C C
2.5.3.2.7 I R A I C C R C C
2.5.3.2.8 I R A I C C R C C

2.5.4.1.1 I R A I C C C C R
2.5.4.1.2 I R A I C C C C R
2.5.4.1.3 I R A I C C C C R
2.5.4.1.4 I R A I C C C C R
2.5.4.1.5 I R A I C C C C R
2.5.4.1.6 I R A I C C C C R
2.5.4.1.7 I R A I C C C C R
2.5.4.1.8 I R A I C C C C R
2.5.4.1.9 I R A I C C C C R
2.5.4.1.10 I R A I C C C C R
2.5.4.1.11 I R A I C C C C R

2.5.4.2.1 I R A I C C C C R
2.5.4.2.2 I R A I C C C C R

– Internal Page 21 | 25
 2.5.4.2.3 I R A I C C C C R
2.5.4.2.4 I R A I C C C C R

2.5.4.3.1 I R A I C C C C R
2.5.4.3.2 I R A I C C C C R
2.5.4.3.3 I R A I C C C C R
2.5.4.3.4 I R A I C C C C R
2.5.4.3.5 I R A I C C C C R

2.5.4.4.1 I R A I C C C C R
2.5.4.4.2 I R A I C C C C R

Information Technology Group (ITG)

System
Informatio
s
n
Telecom Application Servic
InfoSe
Statement Security
Senior
Management CIO c
s
Services
User Access
Management
Technical
Support
Application
Development
s
Support
And
Data
e
Desk

Committee
Services

2.6.2.1 I A A C R R R R R R R
2.6.2.2 I A A C R R R R R R R
2.6.2.3 I A A I R R R R R R R
2.6.2.4 I A A I R R R R R R R
2.6.2.5 I A A I R R R R R R R
2.6.2.6 I A A I R R R R R R R
2.6.2.7 I A A I R R R R R R R
2.6.2.8 I A A I R R R R R R R
2.6.2.9 I A A I R R R R R R R
2.6.2.10 I A A I R R R R R R R
2.6.2.11 I A A I R R R R R R R

2.7.2.5.1 I A A I R C C C C C C
2.7.2.5.2 I A A I R C C C C C C
2.7.2.5.3 I A A I R C C C C C C
2.7.2.6 I A A I R C C C C C C
2.7.2.7 I A A I R C C C C I I
2.7.2.8 I A A I R C C C C C C
2.7.2.9 I A A I R C C C C C C
2.7.2.10 I A A I R C C C C C C

– Internal Page 22 | 25
2.7.2.11 I A A I R C C C C C C
2.7.2.12 I A A I R C C C C C C
2.7.2.13 I A A I R C C C C C C
2.7.2.13.1 I A A I R C C C C C C
2.7.2.13.2 I A A I R C C C C C C
2.7.2.13.3 I A A I R C C C C C C
2.7.2.13.4 I A A I R C C C C C C
2.7.2.13.5 I A A I R C C C I C C
2.7.2.14 I A A I R C C C I C C
2.7.2.15 I A A I R C C C I C C

2.8.2.1 I A A I C C R I I I I
2.8.2.2 I A A I C C R C C C I
2.8.2.3 I A A I C C R C C C I
2.8.2.4 I A A I C C R C C C I
2.8.2.5 I A A I C C R C C C I
2.8.2.6 I A A I C C R C C C I
2.8.2.7 I A A I C C R C C C I
2.8.2.8 I A A I C C R C C C I
2.8.2.9 I A A I C C R C C C I
2.8.2.10 I A A I C C R C C C I

2.9.2.1 I A A I I I I R C I I
2.9.2.2 I A A I I I I R C I I
2.9.2.3 I A A I I I I R C I I
2.9.2.4 I A A I I I I R C I I
2.9.2.5 I A A I I I I R C I I

2.10.2.1 I A A I I I I C R C I
2.10.2.2 I A A I I I I C R C I
2.10.2.3 I A A I I I I C R C I
2.10.2.4 I A A I I I I C R C I
2.10.2.5 I A A I I I I C R C I
2.10.2.6 I A A I I I I C R C I
2.10.2.7 I A A I I I I C R C I

2.11.2.1 I A A I I I I I I R I
2.11.2.2 I A A I I I I I I R I

– Internal Page 23 | 25
2.11.2.3 I A A I I I I I I R I
2.11.2.4 I A A I I I I I I R I
2.11.2.5 I A A I I I I I I R I

2.12.2.1 I A A I I I I I I I R
2.12.2.2 I A A I I I I I I I R
2.12.2.3 I A A I I I I I I I R

2.13.2.1 I A A I I I I I I I R
2.13.2.2 I A A I I I I I I I R
2.13.2.3 I A A I I I I I I I R
2.13.2.4 I A A I I I I I I I R

Owners of Information Assets, Custodian of Information Assets, Internal & External Auditor
and Information Users

Chief Owner of Custodian of Internal &

Senior Information
Internal CSO CIO ITG Information Information External
Managemen InfoSe
Statement Audit
t c
Assets Assets Auditor
Users

2.14.2.1 I I C I C C R I I I
2.14.2.2 I I I I C C R I I I
2.14.2.3 I I I I C C R I I I

2.15.2.1 I I C C C C A R I I
2.15.2.2 I I C C C C A R I I
2.15.2.3 I I C C C C A R I I

2.16.2.1 A I C C C C I I R I
2.16.2.2 A I C C C C I I R I

2.17.2.1 I I I I I I A C I R
2.17.2.2 I I I I I I A C I R
2.17.2.3 I I C I I I A C I R

– Internal Page 24 | 25
3.2 RELATED DOCUMENT(S)
• Information Security Policy.
• InfoSec Committee - Terms of Reference.
• Information Security Strategy.
• Governance Manual – Information Security Management System.
• National Cybersecurity Authority (NCA).
• SAMA Cyber Security Framework.

– Internal Page 2 5| 2 5