LogoRegulatory Alerts
2021-11-04

Information Technology Governance Framework for Financial Sector

The Saudi Central Bank (SAMA) issued the Information Technology Governance Framework to mandate financial institutions to systematically identify, manage, and mature their IT controls through a structured, principle-based approach. The circular requires regulated entities to conduct gap assessments, submit a compliance roadmap by January 2023, achieve full compliance by Q4 2023, and submit detailed annual and semi-annual reports to SAMA. By enforcing these requirements across governance, risk management, operations, and change domains, the framework ensures continuous IT maturity, regulatory alignment, and optimal resource utilization across the financial sector.

Saudi Central Bank logo

Saudi Arabia

Saudi Central Bank

Click to view thumbnail

Saudi Central Bank

Circular

To the Esteemed,

Peace be upon you, mercy of Allah and His blessings.

Subject: The Regulatory Framework for Information Technology Governance in the Financial Sector.

Building on SAMA's keenness to improve IT governance practices amid technological development, by establishing effective controls in developing the infrastructure environment for systems, applications, and devices; to ensure optimal use of IT resources in financial institutions. And based on the authorities vested in it under its system, issued by Royal Decree No. (36/M) dated 11/4/1443 AH, and other related systems. Please find enclosed the Regulatory Framework for Information Technology Governance in the Financial Sector, which financial institutions must comply with according to the following procedures:

First: Conduct a current state assessment of IT in the financial institution compared to what is stipulated in the Regulatory Framework (Gap Assessment); to identify weaknesses and evaluate the maturity level as defined in the Framework.

Second: Develop an action plan (Roadmap) to comply with the Framework's requirements to achieve Maturity Level 3 after assessing the current state, and submit it to SAMA by no later than the end of January 2023.

Third: Present the prepared plan (Roadmap) to the Board of Directors, inform them, and obtain approval for the plan and necessary support.

Fourth: The financial institution must fully comply with the requirements stated in the Framework by the end of the fourth quarter of 2023.

Fifth: Prepare a detailed annual report by the internal audit department of the financial institution on the extent of compliance with the Framework's requirements starting from the end of the first quarter of 2023.

Sixth: Provide SAMA with semi-annual reports starting from the end of the first quarter of 2023 until full compliance with these requirements is achieved.

Seventh: The action plan referred to in item (Second), as well as the report referred to in item (Sixth), shall be sent to the email: CRC.Compliance@SAMA.GOV.SA

Yours sincerely,
Fahed bin Ibrahim Al-Shathri
Deputy Governor for Supervision

Distribution Scope:

  • Local banks and institutions.
  • Saudi Payments Company.
  • Credit information companies operating in the Kingdom.

Information Technology Governance Framework

November 2021
Version 1.0

Saudi Central Bank

Table of Contents

  1. Introduction ................................................................................................................... 4
    1.1 Introduction to the Framework .............................................................................. 4
    1.2 Definition of Information Technology Governance ............................................... 4
    1.3 Scope ................................................................................................................... 4
    1.4 Applicability ......................................................................................................... 5
    1.5 Responsibilities ................................................................................................... 5
    1.6 Interpretation ...................................................................................................... 5
    1.7 Target Audience ................................................................................................. 5
    1.8 Review, Updates and Maintenance ................................................................. 5
    1.9 Reading Guide ................................................................................................... 5

  2. Framework Structure and Features ............................................................................. 5
    2.1 Structure .......................................................................................................... 5
    2.2 Principle-based ................................................................................................. 6
    2.3 Self-Assessment, Review and Audit ............................................................... 7
    2.4 Information Technology Governance Maturity Model ..................................... 7
    2.4.1 Maturity Level 3 ................................................................................... 8
    2.4.2 Maturity Level 4 ................................................................................... 8
    2.4.3 Maturity Level 5 ................................................................................. 9

  3. Control domains .......................................................................................................... 10
    3.1 Information Technology Governance and Leadership ................................... 10
    3.1.1 Information Technology Governance .................................................. 10
    3.1.2 Information Technology Strategy ........................................................... 11
    3.1.3 Manage Enterprise Architecture ......................................................... 11
    3.1.4 Information Technology Policy and Procedures ................................... 12
    3.1.5 Roles and Responsibilities .................................................................... 12
    3.1.6 Regulatory Compliance ........................................................................... 13
    3.1.7 Internal IT Audit .................................................................................... 13
    3.1.8 Staff Competence and Training ........................................................... 14
    3.1.9 Performance Management .................................................................. 14

    3.2 IT Risk Management ........................................................................................... 15
    3.2.1 Managing IT Risks .................................................................................. 15
    3.2.2 Risk Identification and Analysis ........................................................... 16
    3.2.3 Risk Treatment ...................................................................................... 16
    3.2.4 Risk Reporting, Monitoring, and Profiling ........................................... 17

    3.3 Operations Management ..................................................................................... 17
    3.3.1 Manage Assets .......................................................................................... 17
    3.3.2 Interdependencies ................................................................................... 18
    3.3.3 Manage Service Level Agreements ........................................................ 19
    3.3.4 IT Availability and Capacity Management ........................................... 19
    3.3.5 Manage Data Center ............................................................................... 20
    3.3.6 Network Architecture and Monitoring .................................................. 20
    3.3.7 Batch Processing ..................................................................................... 21
    3.3.8 IT Incident Management ........................................................................ 22
    3.3.9 Problem Management ............................................................................ 23
    3.3.10 Data Backup and Recoverability ........................................................... 23
    3.3.11 Virtualization ......................................................................................... 24

    3.4 System Change Management .............................................................................. 25
    3.4.1 System Change Governance ................................................................. 25
    3.4.2 Change Requirement Definition and Approval ................................... 26
    3.4.3 System Acquisition ............................................................................... 26
    3.4.4 System Development ............................................................................. 27
    3.4.5 Testing .................................................................................................... 27
    3.4.6 Change Security Requirements ........................................................... 28
    3.4.7 Change Release Management ............................................................. 28
    3.4.8 System Configuration Management ................................................... 29
    3.4.9 Patch Management ............................................................................... 29
    3.4.10 IT Project Management ................................................................. 30
    3.4.11 Quality Assurance .............................................................................. 31

Appendices ................................................................................................................... 32
Appendix A - How to request an Update to the Framework .................................. 32
Appendix B – Framework Update request form ................................................... 33
Appendix C - How to request a Waiver from the Framework ............................. 34
Appendix D – Framework Waiver request form ................................................... 35
Appendix E – Glossary .......................................................................................... 36

1. Introduction

1.1 Introduction to the Framework

The current digital society has high expectations of flawless customer experience and continuous availability of services. The advancement of information technology (“IT”) has brought rapid changes to the way businesses and operations are being conducted in the financial sector. Although IT plays an essential role combined with today’s environment, it also exposes financial institutions to dynamically evolving IT risks.

In this regard, Saudi Central Bank (“SAMA”) has established an Information Technology Governance Framework (“the Framework”) to enable organizations regulated by SAMA (“the Member Organizations”) to effectively identify and address risks related to IT. The objective of the Framework is as follows:

  1. To create a common approach for addressing IT risks within the Member Organizations.
  2. To achieve an appropriate maturity level of IT controls within the Member Organizations.
  3. To ensure IT risks are properly managed throughout the Member Organizations.

The framework will be used to periodically assess the maturity level and evaluate the effectiveness of the IT controls at Member Organizations. The framework is based on the SAMA requirements and industry IT standards.

1.2 Definition of Information Technology Governance

An Information Technology (IT) governance ensures the effective and efficient use of IT to enable Member Organizations to achieve its goals and objectives. It enables Member Organizations formulating optimal value from IT by maintaining a balance between realizing benefits and optimizing risk levels and resource use.

1.3 Scope

The framework defines principles and objectives for initiating, implementing, maintaining, monitoring and improving IT governance controls within Member Organizations regulated by SAMA. The framework offers IT governance controls requirements which are applicable to the information assets of the Member Organizations. Additionally, the framework provides direction for IT Governance requirements for Member Organizations and its subsidiaries, staff, third parties and customers. The framework should be implemented in conjunction with SAMA’s Cyber Security and Business Continuity framework respectively (figure 1). For specific Cyber Security and Business Continuity related requirements please refer to SAMA’s Cyber Security Framework and Business Continuity Management Framework.

Figure 1 – Relationship between SAMA Frameworks
Figure 1 – Relationship between SAMA Frameworks

The Framework has an interrelationship with other corporate policies for related areas, such as change management and staff training. This framework does not address the non-IT requirements for those areas.

1.4 Applicability

The framework is applicable to Member Organizations regulated by SAMA.

1.5 Responsibilities

The framework is mandated by SAMA and will be circulated to Member Organizations for implementation. SAMA is the owner and is responsible for periodically updating the framework. The Member Organizations are responsible for implementing and complying with the framework.

1.6 Interpretation

SAMA, as the owner of the framework, is solely responsible for providing interpretations of the principles and Control Requirements, if required.

1.7 Target Audience

The Framework is intended for senior and executive management, business owners, owners of information assets, CIOs and those who are responsible for and involved in defining, implementing and reviewing IT controls within the Member Organizations.

1.8 Review, Updates and Maintenance

SAMA will review the Framework periodically to determine the Framework’s effectiveness, including the effectiveness of the Framework to address emerging IT threats and risks. If applicable, SAMA will update the Framework based on the outcome of the review.

If a Member Organization considers that an update to the framework is required, the Member Organization should formally submit the requested update to SAMA. SAMA will review the requested update, and when applicable, the Framework will be adjusted on the next updated version.

The Member Organization will remain responsible to be compliant with the framework pending the next version update.

Please refer to ‘Appendix A – How to request an Update to the Framework’ for the process of requesting an update to the Framework.

Version control will be implemented for maintaining the framework. Whenever any changes are made, the preceding version shall be retired and the new version shall be published and communicated to all Member Organizations. For the convenience of the Member Organizations, changes to the framework shall be clearly indicated.

1.9 Reading Guide

The Framework is structured as follows. Chapter 2 elaborates on the structure of the Framework, and provides instructions on how to apply the Framework. Chapter 3 presents the actual framework, including the IT domains and subdomains, principles, objectives and Control Requirements.

2. Framework Structure and Features

2.1 Structure

The Framework is structured around four main domains, namely:

  • Information Technology Governance and Leadership.
  • Information Technology Risk Management.

• Information Technology Operations Management.
• System Change Management.

For each domain, several subdomains are defined. A subdomain focusses on a specific IT governance topic. Per subdomain, the Framework states a principle and Control Requirements.

  • A Principle summarizes the main set of required IT controls related to the subdomain.
  • The Control Requirements reflects the mandated IT controls that should be considered.

The framework should be implemented in view of principles mentioned in per subdomains along with its associated Control Requirements.

Control Requirements have been uniquely numbered according to the following numbering system throughout the Framework:

Figure 2 – Control requirements numbering system
Figure 2 – Control requirements numbering system

The figure below illustrates the overall structure of the Framework and indicates the IT Governance Framework domains and subdomains, including a reference to the applicable section of the Framework.

Figure 3 – Information Technology Governance Framework
Figure 3 – Information Technology Governance Framework

2.2 Principle-based

The framework is principle based, also referred to as risk based. This means that it prescribes key IT governance principles and objectives to be embedded and achieved by the Member Organizations. The list of mandated Control Requirements provides additional direction and should be considered by the Member Organizations in achieving the objectives. When a certain control requirements cannot be tailored or implemented, the

Member Organizations should consider applying compensating controls, pursuing an internal risk acceptance and requesting a formal waiver from SAMA. Please refer to Appendix D for details for the – How to request a Waiver from the Framework – process.

2.3 Self-Assessment, Review and Audit

The implementation of the framework at the Member Organizations will be subject to a periodic self-assessment. The self-assessment will be performed by the Member Organizations based on a questionnaire. The self-assessments will be reviewed and audited by SAMA to determine the level of compliance with the framework and the IT maturity level of the Member Organizations. Please refer to ‘2.4 Information Technology Governance Maturity Model’ for more details about the information technology governance maturity model.

2.4 Information Technology Governance Maturity Model

The Information Technology Governance maturity level will be measured with the help of a predefined maturity model. The information technology governance maturity model distinguishes 6 maturity levels (0, 1, 2, 3, 4 and 5), which are summarized in the table below. In order to achieve levels 3, 4 or 5, Member Organizations should first meet all criteria of the preceding maturity levels.

Maturity LevelDefinition and CriteriaExplanation
0 Non-existent• No documentation. <br>• There is no awareness or attention for certain information technology control.• IT controls are not in place. There may be no awareness of the particular risk area or no current plans to implement such IT controls.
1 Ad-hoc• IT controls is not or partially defined. <br>• IT controls are performed in an inconsistent way. <br>• IT controls are not fully defined.• IT control design and execution varies by department or owner. <br>• IT control design may only partially mitigate the identified risk and execution may be inconsistent.
2 Repeatable but informal• The execution of the IT control is based on an informal and unwritten, though standardized, practice.• Repeatable IT controls are in place. However, the control objectives and design are not formally defined or approved. <br>• There is limited consideration for a structured review or testing of a control.
3 Structured and formalized• IT controls are defined, approved and implemented in a structured and formalized way. <br>• The implementation of IT controls can be demonstrated.• IT policies, standards and procedures are established. <br>• Compliance with IT documentation i.e., policies, standards and procedures is monitored, preferably using a governance, risk and compliance tool (GRC). <br>• Key performance indicators are defined, monitored and reported to evaluate the implementation.
4 Managed and measurable• The effectiveness of the IT controls are periodically assessed and improved when necessary. <br>• This periodic measurement, evaluations and opportunities for improvement are documented.• Effectiveness of IT controls are measured and periodically evaluated. <br>• Key risk indicators and trend reporting are used to determine the effectiveness of the IT controls. <br>• Results of measurement and evaluation are used to identify opportunities for improvement of the IT controls.
5 Adaptive• IT controls are subject to a continuous improvement plan.• The enterprise-wide IT governance program focuses on continuous compliance, effectiveness and improvement of the IT controls. <br>• IT controls are integrated with enterprise risk management framework and practices. <br>• Performance of IT controls are evaluated using peer and sector data.

Table 1 - Information technology governance Maturity Model

2.4.1 Maturity Level 3

To achieve level 3 maturity, a Member Organization should define, approve and implement IT controls. In addition, it should monitor compliance with the IT documentation. The IT documentation should clearly indicate “why”, “what” and “how” IT controls should be implemented. The IT documentation consists of IT policies, standards and procedures.

Figure 4 – Information Technology Documentation Pyramid
Figure 4 – Information Technology Documentation Pyramid

The IT policy should be endorsed and mandated by the board of the Member Organization and stating “why” IT is important to the Member Organization. The policy should highlight which information assets should be protected and “what” IT principles and objectives should be established.

Based on the IT policy, IT standards should be developed. These standards define “what” IT controls should be implemented, such as, segregation of duties, back-up and recovery rules, etc. The standards support and reinforce the IT policy and are to be considered as IT baselines.

The step-by-step tasks and activities that should be performed by staff of the Member Organization are detailed in the IT procedures. These procedures prescribe “how” the IT controls, tasks and activities have to be executed in the operating environment.

The process in the context of this framework is defined as a structured set of activities designed to accomplish the specified objective. A process may include policies, standards, guidelines, procedures, activities and work instructions, as well as any of the roles, responsibilities, tools and management controls required to reliably deliver the output.

The actual progress of the implementation, performance and compliance of the IT controls should be periodically monitored and evaluated using key performance indicators (KPIs).

2.4.2 Maturity Level 4

To achieve maturity level 4, Member Organizations should periodically measure and evaluate the effectiveness of implemented IT controls. In order to measure and evaluate whether the IT governance controls are effective, key risk indicators (KRIs) should be defined. A KRI indicates the norm for effectiveness measurement and should define thresholds to determine whether the actual result of measurement is below, on, or above the targeted norm. KRIs are used for trend reporting and identification of potential improvements.

2.4.3 Maturity Level 5

Maturity level 5 focuses on the continuous improvement of IT controls. Continuous improvement is achieved through continuously analyzing the goals and achievements of IT governance and identifying structural improvements. IT controls should be integrated with enterprise risk management practices and supported with automated real-time monitoring. Business process owners should be accountable for monitoring the compliance of the IT controls, measuring the effectiveness of the IT controls and incorporating the IT controls within the enterprise risk management framework. Additionally, the performance of IT controls should be evaluated using peer and sector data.

3. Control domains

3.1 Information Technology Governance and Leadership

Member Organizations board is ultimately responsible for setting the Information Technology (IT) Governance and ensuring that IT risks are effectively managed within the Member organization. The board of the Member Organization can delegate its IT Governance responsibilities to senior management or IT steering committee (ITSC). The ITSC could be responsible for defining the IT governance and setting the Member Organization’s IT strategy.

3.1.1 Information Technology Governance

Principle
An IT Governance struct

Share