Aramco Third Party Cybersecurity Compliance Certificate Implementation

Recently a client engaged us to consult and implement the Saudi Aramco Third Party Cybersecurity Compliance Certificate implementation. Our client is a vendor of Saudi Aramco and as per Saudi Aramco vendor requirements they have to comply with the cybersecurity requirements in the Third Party Cybersecurity Standard (SACS-002) of the Third-Party Cybersecurity Compliance Certificate program. We assisted our client is achieving the certification through our deep knowledge and understanding of the Saudi Aramco’s Third Party Cybersecurity Standard (SACS-002). More information about the Third-Party Cybersecurity Compliance Certificate program is here 

We are delighted that our client was awarded the certificate in short time from the start of the project.

To achieve the objective, we completed the following tasks:

1. Gap analysis: Prior to starting any work we conducted an in-depth gap analysis of the current state of information technology infrastructure. The analysis gave us complete picture of task at hand.

2. Update of infrastructure: Based on the gap analysis we went about updating the infrastructure to bring it up to a level wherein we could start to work on the Third-Party Cybersecurity Compliance Certificate requirement. This includes listing of inventory, updating of operating systems, migration of databases to local servers, implementation of static IP, upgrading office tools, enhancing Wi-Fi protection and more.

3. Compilation of an Acceptable Use Policy (AUP): The Acceptable Use Policy is the blueprint for all technical and practical method of internal and external cyber security. We drafted a comprehensive policy based on SANS (Sysadmins, Audit, Network, and Security) Institute and similar best practices. The AUP guides the IT Administrator on all matters and educates all employees. It also includes various forms such as Aramco Cybersecurity Incident Response, employees exit checklist, information sanitization documentation and employee confirmation of training and acceptance of Acceptable Use Policy.

4. Group Policies via Domain Controller: The Microsoft Domain Controller was installed in the network. All laptops, desktops and server were added to the Domain Controller. Group policy objects included policies such as user password length, password renewal, history of same password usage, account lockout duration & threshold, screen saver lock, disabling of display control, Windows operating system updates, blocking of files transfer/write ports such as flash drive via USB, DVD writers, blocking of command interpreter (cmd) for users etc. The group policy objects (GPO) also included disallowing browsers such as Google Chrome, Mozilla FireFox and Microsoft Edge from allowing user to save password within the browser. Internet Explorer was blocked and when user tries to use it then it auto redirects to Microsoft Edge.

5. Firewall implementation: To secure the perimeter a Sophos firewall appliance was installed. Subscription of Sophos Xstream Protection was added to the device to improve security. The subscription includes deep packet inspection, encrypted traffic, network protection, web protection, zero-day and ML Protection and central orchestration with enhanced support. Access to local resources from remote location is allowed via multi factor authentication using the Sophos Authenticator app. The app generates both time-based and event-based one-time passwords (OTP) according to RFC 6238 and RFC 4226.

6. End-Point Security: All devices were secured through Kaspersky End-Point Security for Business – Advanced. Group policies were created on Kaspersky Control Centre to control end point devices. The policies included real time tracking of all devices, daily anti-virus database updates, weekly deep scan, patch management, files encryption, server enhanced security and more.

7. Microsoft 365 services multi factor authentication: To secure the business emails multi factor authentication was added to the Microsoft 365 services and all users were enrolled into it. Users now have to approve any sign in request via Microsoft Authenticator App on their mobile phones. Users can deny any unknown login request thereby blocking threat actors.

8. Cyber security training: All users were presented with a comprehensive cypher security training. Training topics includes what is cyber security, acceptable use of company infrastructure, social engineering, phishing emails, sharing credentials, data security, clean desk policy, ransomware, hacking, imposter scams, email spoofing, virus, malware, logic bombs, Trojan horse, Do’s & Don’ts, every day tips and more.

9. Secure sanitization: As per the Third-Party Cybersecurity Compliance Certificate requirements all data is to be sanitized (erased) using NIST (National Institute of Standards & Technology) 8000-800 or similar protocol at the end of data life cycle, retention period or before a device is transferred to new user or destroyed. We recommended four software which comply to NIST or similar best practices recommended by UK’s National Cyber Security Centre (NCSC), NATO, the Common Criteria (EAL +3), the Dutch General Intelligence and Security Service, the Finnish National Cyber Security Centre (TRAFICOM), and ADISA (UK Asset Disposal and Information Security Alliance), HIPAA, Sarbanes-Oxley, German VSITR among others. The AUP includes method of sanitization, storage of sanitized drives and destruction of unusable drives.

10. Sender Policy Framework (SPF): SPF is used to authenticate the sender of an email. With an SPF record in place, internet service providers can verify that a mail server is authorized to send email for a specific domain.

11. Anti-Malware implementation & Anti-Spam Protection on Email server: The mail server was updated to implement anti-malware and anti-spam policies. The policies block malicious contents, handled bulk contents, attachment and link protection with Safe Links & Safe Attachment. Anti-spam policy filters the contents and secures the server from inbound and outbound malicious traffic.

12. DomainKeys Identified Mail (DKIM) Implementation: DKIM is a protocol that allows an organization to take responsibility for transmitting a message by signing it in a way that mailbox providers can verify. DKIM record verification is made possible through cryptographic authentication. DKIM was added to the email to enhance email security.

13. Securing assets and systems: In addition to user terminals, all critical assets and systems were secured through password polices and multi-factor authentication. Critical assets include, firewall appliance, domain controller, Kaspersky Controls Center, backup and software servers.

14. Compilation of evidences and discussion with 3rd party IT auditors: After we had completed the implementation of all requirements, we compiled evidences from multiple sources for each requirement. The evidence included screenshots of information along with date, time, domain and user information through command interpreter (cmd) using administrator privileges. The standard commands used were date /t for day and date; wmic computersystem get domain for domain name and hostname for computer ID. All evidences were correctly added to the evidence document template provided by Aramco. Care was taken to ensure clean and clear screenshots were added to the Third-Party Control (TPC). Each TPC had correct reference number and the comments section text was precise for the auditor to easily review. After the acceptance of the evidences the auditor conducted discussion and real time testing of the evidences we had provided. They reviewed our systems, firewall, end point security, group policy objects and sample of user terminals. After being satisfied that all the Third-party Controls were correctly implemented the IT auditor issued the Third-Party Cybersecurity Compliance Certificate to our client.

While the Third-Party Cybersecurity Compliance Certificate requirements was the cause for the updated security infrastructure however it is now protecting our client’s information and infrastructure. The investment in cyber security will surely give very high returns over time.

Contact us to enhance your company information cyber security and reduce the risk of insider and outsider attacks. Remember, investment in cybersecurity is like an insurance. You don’t need it till you need it.