How to Comply with SAMA Encryption Requirements

Do you know about the new regulations introduced by the Saudi Arabian Monetary Authority (SAMA)? If your company or organization is based in Saudi Arabia, then you should! Here you will learn what are the SAMA regulations and what they have to say about 'Cryptography'. We will then share 3 steps on how you can build a successful strategy to comply with SAMA encryption requirements. 

 SAMA in a Nutshell

• When?
  The SAMA regulations were passed in May 2017.
• What?
  The regulations are laid out in the Cyber Security Framework that was released by the Saudi Arabian Monetary Authority (SAMA). Objectives of the framework:
  1.  Create a common approach for addressing cyber security. 
  2.  Achieve an appropriate maturity level of cyber security controls. 
  3.  Ensure cyber security risks are effectively managed. 
• Who?
  The SAMA regulations are mandatory to follow for all financial institutions that operate in Saudi Arabia, including: 
  - Banks
  - Insurance and reinsurance companies
  - Financing companies
  - Credit bureaus
  - The Financial Market Infrastructure

What Does SAMA Say about Encryption Requirements?

In short, the SAMA regulations state that cryptographic solutions must be defined, approved, and implemented by member organizations. Companies must also take responsibility for the management of encryption keys, as well as lifecycle management, archiving, and recovery. The image below provides a closer look at what the regulations say about encryption.

Prepare for SAMA Compliance

Complying with SAMA encryption requirements doesn’t have to be difficult. Just follow these 3 steps and make sure that your organization is compliant both now and in the future. 

1. Understand where your data resides
First, make sure you know where your data is saved. Monitor your data flow and keep track of where your information is stored, as well as how it’s being accessed and shared. Awareness of where your data is located will make it simpler to set up an encryption plan that takes all of your data into consideration. 

2. Classify and get organized
Build a data inventory by arranging your information in order of importance and risk. You should also consider putting someone in charge of data protection. Having a member of the team that’s formally dedicated to data protection will let your customers (and compliance officers) know that you are committed to protecting their sensitive information. 

3. Use the right tools
What kind of data do you need to encrypt? Answering this question will help you decide what type of encryption software your company should use. For example, if you want to make sure your data is secure if one of your devices is stolen or lost, you should use whole disk encryption to protect complete hard drives. Then again, if you want to protect a device that’s in use, you should invest in software that encrypts selected files. Finally, if you are concerned about data in transit, you should use an application that provides end-to-end encryption.  

How Encryption Works

The best encryption solution for your organization is a complete data protection program. Data encryption makes use of advanced algorithms to scramble your sensitive information into random characters. Only by using a personalized key, also known as password, are you able to convert your data back into the original text. 

Want to learn more about encrypting data and how encryption works? Check out our ultimate guide.