Third-Party & Cloud Cybersecurity (Domain 4)
Domain 4: managing third-party and cloud risk, contracts, vetting, and keeping data inside the Kingdom.
4 Third-Party and Cloud Computing Cybersecurity tap to learn what this means 2 subdomains · 8 controls
and security is about managing the you take on when other people run, host, or touch your systems and data.
In ECCIn , Domain 4 requires vetting and setting cybersecurity requirements before contracts are signed, and adds -specific rules; most notably keeping regulated data hosted inside the Kingdom.
How do controls actually work?
A control is just a safeguard that lowers a risk. You reduce risk by putting the right set of controls in place, and almost every ECC control follows the same three steps:
- Policy Write the rule down and get leadership to approve it. This is the foundation, nearly everything starts here.
- Implement Put it into practice: the secure configuration, technical settings and standards that enforce the rule.
- Review Check on a schedule (an audit) that it is actually done and working, and fix what is not.
A policy with no implementation is just paper; implementation with no review quietly rots. Each control below is tagged with the step it belongs to.
-
4-1 Third-Party Cybersecurity 4
What it isSetting and enforcing security requirements on the outside companies you rely on ; before and during the relationship.
Why you need itAttackers often get in through a weaker . The you outsource is still your risk.
How to establish itPut security and clauses in contracts, require -notification , assess before signing, and keep /managed-service centres with inside Saudi Arabia.
The controls, what to implement 4- Policy 4-1-1
Put a in place; write the rules for cybersecurity and get leadership to formally approve them.
- Requirements 4-1-2
In contracts (e.g. SLAs), at a minimum: include and secure data-removal clauses for end of service; set -communication ; and require the third party to follow your security requirements and the law.
- Requirements 4-1-3
For IT/cybersecurity or managed-service contracts, at a minimum: do a cyber and have mitigations in place before signing; and keep managed /operations centres that use fully inside Saudi Arabia.
- Review 4-1-4
On a regular schedule, check (an ) that cybersecurity is still being done and is working.
Show the official ECC wording
Objective. To ensure the protection of the entity's assets against third-party cybersecurity risks (including Information Technology (IT) outsourcing, cybersecurity outsourcing, and managed services), as per the entity's regulatory policies and procedures and the relevant legislative and regulatory requirements.
- 4-1-1 Cybersecurity requirements for the entity's contracts and agreements with third parties shall be identified, documented, and approved.
- 4-1-2 Cybersecurity requirements for contracts and agreements with third parties, e.g. Service Level Agreement (SLA), which, if impaired, may affect the entity's data or services shall include the following as a minimum: 4.1.2.1 Clauses of non-disclosure and the secure removal of the entity's data by the third party upon the end of service. 4.1.2.2 Communication procedures in case of the occurrence of a cybersecurity incident. 4.1.2.3 Obligating the third party to apply the entity's cybersecurity requirements and policies and the relevant legislative and regulatory requirements.
- 4-1-3 Cybersecurity requirements for contracts and agreements with third parties providing IT or cybersecurity outsourcing or managed services shall include the following as a minimum: 4.1.3.1 Conducting a cybersecurity risk assessment and ensuring the availability of risk mitigation controls before signing contracts and agreements or upon making changes to the relevant legislative and regulatory requirements. 4.1.3.2 Cybersecurity managed service centers for monitoring and operations which use remote access shall be fully located in the Kingdom of Saudi Arabia.
- 4-1-4 Cybersecurity requirements for third parties shall be periodically reviewed.
-
-
4-2 Cloud Computing and Hosting Cybersecurity 4
What it isExtra cybersecurity rules for when you use or hosting services ; including where your data is allowed to live.
Why you need itIn the you share infrastructure and hand data to a provider, yet you stay responsible for protecting it and keeping it in the right place.
How to establish itApply the other domains' to use too, make providers protect and return your data per its , keep regulated/government data hosted inside the Kingdom, and ensure your environment is separated from other .
The controls, what to implement 4- Policy 4-2-1
Put a in place; write the rules for and hosting cybersecurity and get leadership to formally approve them.
- Implement 4-2-2
Turn the into practice; apply the and hosting cybersecurity rules across the organisation (configure systems, follow ).
- Requirements 4-2-3
On top of the from Domains 1-3 and 4-1, at a minimum: providers must protect your data per its and return it in a usable format when service ends; and your environment (especially ) must be separated from other customers.
- Review 4-2-4
On a regular schedule, check (an ) that and hosting cybersecurity is still being done and is working.
Show the official ECC wording
Objective. To ensure proper and efficient remediation of cyber risks and implementation of cybersecurity requirements for cloud computing and hosting, as per the entity's regulatory policies and procedures, relevant legislative and regulatory requirements, orders, and decisions, and to ensure the protection of the entity's information and technology assets on cloud computing services hosted, processed, or managed by third parties.
- 4-2-1 Cybersecurity requirements for use of cloud computing and hosting services shall be identified, documented, and approved.
- 4-2-2 Cybersecurity requirements for the cloud computing and hosting services within the entity shall be implemented.
- 4-2-3 In accordance with the relevant legislative and regulatory requirements, and in addition to the applicable controls in the Main Domains (1), (2), and (3) and Subdomain (4.1) that are necessary to protect the entity's data or services provided thereto, cybersecurity requirements for use of cloud computing and hosting services shall include the following as a minimum: 4.2.3.1 Protection of entity's data by cloud and hosting service providers in accordance with its classification level and returning data (in a usable format) upon service completion. 4.2.3.2 Separation of the entity's environment (especially virtual servers) from environments of other entities within the cloud computing service provider.
- 4-2-4 Cybersecurity requirements for cloud computing and hosting services shall be periodically reviewed.
-
Domain 4 extends the baseline beyond the organisation’s own walls, the risk you outsource is still your risk. Subdomain 4-1 governs any third party (managed services, outsourcing, suppliers), requiring cybersecurity requirements before the contract is signed. Subdomain 4-2 adds cloud and hosting specifics, most notably data residency: regulated and government data is expected to be hosted inside Saudi Arabia.
Trap: cybersecurity requirements must be set before signing and screened during onboarding, not discovered in an audit afterwards. A cloud provider’s own certifications do not, by themselves, satisfy 4-2.