Lesson Cybersecurity Regulations and Laws - Cybersecurity - ثالث ثانوي

102 3. Advanced Topics in Cybersecurity In this unit, you will learn about how cybersecurity legislation influences the modern technological landscape both in Saudi Arabia and internationally. You will then be introduced to cryptography and you will implement cryptographic algorithms with Python. Finally, you will learn the importance of robust cybersecurity systems for applications built with emerging technologies. Learning Objectives In this unit, you will learn to: > Outline the main points of standardized cybersecurity legislation. > identify the main cybersecurity laws and regulations that are present in Saudi Arabia and in other countries. > Explain what cryptography is and its uses. > Identify the types of cryptography and their potential threats from hackers. > Implement cryptographic algorithms with Pythan, > Analyze how cybersecurity systems protect systems created with emerging technologies. Tools > Python

Lesson 1 Cybersecurity Regulations and Laws Link to digital son 回 www.len edu.sa The Importance of Laws and Regulations in Cybersecurity As technology systems have advanced, so has the need to ensure that individuals and businesses stay secure online. Cybersecurity laws and regulations exist as a way to make sure that companies and individuals are held liable for any security incidents that may occur. Organizations and governments can more effectively protect data and remain compliant by understanding the laws, regulations, and other existing guidelines. Understanding the laws and regulations will help individuals and organizations play an active role in keeping the Internet safe. This knowledge can be used to strengthen security practices, create more secure products, and increase customer trust in their products and services. The most important points for the correct use of legislation and regulation in cybersecurity are the following: Data Privacy and Protection With vast amounts of personal and sensitive data being collected, stored, and transmitted digitally, laws and regulations help ensure that this information is handled securely and responsibly. This protects individuals' privacy rights and prevents unauthorized access or misuse of their data. Standardization Cybersecurity regulations and laws provide a common set of standards and best practices for organizations to follow, promoting a baseline level of security across industries. This standardization facilitates better collaboration between organizations and enables more effective response strategies to cyber threats. Compliance and Accountability Legal frameworks hold organizations accountable for their security posture by requiring them to implement specific security measures and report breaches when they occur. This promotes a culture of compliance and encourages organizations to continually assess and improve their cybersecurity practices. درس عليم 4444 +++. 444 ++ 103

104 Deterrence and Prosecution Cybersecurity laws define and classify various cybercrimes, allowing law enforcement agencies to pursue and prosecute offenders. This serves as a deterrent against malicious cyber activities and ensures that cybercriminals are held accountable for their actions. International Cooperation Because cyber threats and attacks cover multiple countries, international collaboration is essential in combating cybercrime. Cybersecurity laws and regulations help facilitate cooperation between nations, enabling the sharing of intelligence, resources, and best practices in addressing global cyber threats. Cybersecurity Laws and Regulations in the KSA Cybersecurity Controls The National Cybersecurity Authority (NCA) in Saudi Arabia has published various cybersecurity controls that public and private entities operating in Saudi Arabia must adhere to. Cybersecurity controls are technical and non-technical measures designed to protect computer systems, networks, and data from unauthorized access, misuse, modification, destruction, or disruption. The following is an overview of these controls. Essential Cybersecurity Controls (ECC) The ECC is a set of fundamental cybersecurity controls designed to protect organizations from common cyber threats and establish a baseline level of security. These controls address various aspects of cybersecurity, including asset management, access control, incident response, and security awareness training. All national public organizations and their companies and entities as well as private sector organizations owning, operating or hosting Critical National Infrastructures must comply with the ECC to ensure the protection of their information systems and compliance with national cybersecurity standards. وزارة التعليم 2173-1445 Cybersect Arience ECC Governance Cybersecurity Defense 9 Figure 33: Essential Cybersecurity Controls IECC - 2018)

Data Cybersecurity Controls (DCC) The NCA has issued the Data Cybersecurity Controls (DCC) to improve the regulation and security of the cyberspace in the Kingdom. The DCC controls aim to raise the level of cybersecurity protection for national data and to support organizations in their efforts to securely handle and protect their data and information, throughout the data lifecycle, from associated threats and risks. 1-1 Periodical Cybersecurity Review and Audit 1-2 Cybersecurity in Human Resources 1. Cybersecurity Governance 1-3 Cybersecurity Awareness and Training Program 2-1 Identity and Access Management 2-2 Information System and Information Processing Facilities Protection 2. Cybersecurity Defence 2-3 Mobile Devices Security 2-4 Data and information Protection 3. Third-Party and Cloud Computing Cybersecurity 2-5 Cryptography 2-6 Secure Data Disposal 2-7 Cybersecurity for Printers, Scanners and Copy Machines 31 Third-Party Cybersecurity Figure 32 DCC Madumans andzums Cloud Cybersecurity Controls The NCA has developed the Cloud Cybersecurity Controls, which is an extension of the ECC controls. These are more specialized guidelines for Cloud Service Providers (CSPs) and Cloud Service Tenants (CSTS). Telework Cybersecurity Controls The purpose of this document is to guide organizations to perform remote work securely, adapting Atochanges in the business environment and telework systems when providing remote work. 1773-1445 105

Critical Systems Cybersecurity Controls This document offers specific guidelines for the cybersecurity governance of cloud systems of organizations that are deemed mission-critical. Operational Technology Cybersecurity Controls These controls alm to enhance the cybersecurity of Operational Technology (OT) systems in the Kingdom. It sets the minimum cybersecurity requirements for organizations to safeguard their Industrial Control Systems (ICS) against cyber threats that may cause harmful effects. Cybercrime Regulation In the Kingdom of Saudi Arabia, several laws and standards have been established to address cybercrime and protect the privacy and security of individuals and organizations. The following is an overview of the most prominent of these: Personal Data Protection Law (PDPL) The Personal Data Protection Law (PDPL) and its executive regulations are relevant to protecting the privacy of individuals in Saudi Arabia and set the legal basis for the protection of your rights regarding the processing of personal data by all entities in the Kingdom, as well as all entities outside the Kingdom that process personal data related to Individuals residing in the Kingdom using any means, including online personal data processing. Anti-Cyber Crime Law The Saudi Arabian Anti-Cyber Crime Law is a set of laws and regulations that criminalize a wide range of cybercrime activities in Saudi Arabia. The law was enacted to protect the country's national security and economic interests from cyber threats and ensure the safety of citizens and residents from cybercrime. The Anti-Cyber Crime Law criminalizes cybercrime activities such as hacking, online fraud, identity theft, and privacy invasion. It also includes provisions for the protection of personal data and the investigation and prosecution of cybercrime. Under the Anti-Cyber Crime Law, cybercrime is considered a serious offense punishable by fines, Imprisonment, and other penalties. The law also authorizes the government to take measures to block access to websites that are deemed to be involved in cybercrime. وزارة التعليم 2073-1445 106

International Cybersecurity Laws and Regulations International cybersecurity laws and regulations have become increasingly important in protecting data and information globally, in addition to the laws and regulations already in place in the Kingdom of Saudi Arabia. Following are some of the most prominent international cybersecurity and data laws. USA CFAA The CFAA is a federal law that deals with computer crime and data privacy. The law prohibits unauthorized access to computers and any form of intentional harm or damage to any computer system. It is one of the first federal laws to criminalize computer misuse and focus on data protection. HIPPA The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law requiring national standards to protect sensitive patient health information from being disclosed without the patient's consent or knowledge. COPPA The Children's Online Privacy Protection Act (COPPA) is a law in the United States that establishes rules for collecting and using personal data from children under the age of 13. It requires websites, mobile applications, and other online services to obtain parental consent before collecting, using, or sharing children's personal information. EU EU Cybersecurity Act The EU Cybersecurity Act strengthens the EU Agency for Cybersecurity (ENISA) and creates a framework for certifying the cybersecurity of products and services. ENISA will prepare the technical foundations for certification schemes, and the act establishes an EU-wide certification framework for ICT products, services, and processes. This means companies operating in the EU must only certify their ICT products, processes, and services once, and their certificates will be recognized throughout the European Union. GDPR The General Data Protection Regulation is a Regulation (GDPR) in EU law on data protection and privacy in the EU and the European Economic Area. The GDPR applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system. fa UK NIS Regulations The Security of Network & Information Systems Regulations (NIS Regulations) are laws aimed at increasing the security of digital and physical networks and information systems. They are intended to safeguard essential and digital services from cyber-attacks, protecting citizens, businesses, and public services. The regulations apply to companies providing essential services, such as transport, energy water health, and digital infrastructure, as well as digital service providers, including online marketplaces, search engines, and cloud computing services. وزارة التعليم 21173-1445 107

TOB Exercises I Read the sentences and tick ✔True or False. 1. Laws and regulations are only used to protect companies from cyber threats. 2. Standardization of cybersecurity laws and regulations promote the highest level of security. 3. Organizations and governments are not held accountable for security breaches. 4. International cooperation is not essential in combating cybercrime. 5. Cybersecurity laws and regulations have no effect on customer trust in products and services. 6 The NCA aims to protect the Kingdom's interests by strengthening its cybersecurity infrastructure. 7. The ECC is a set of fundamental cybersecurity controls designed to protect organizations from common cyber threats. 8. The PDPL offers guidelines for cloud cybersecurity governance. 9. The HIPPA regulates the unauthorized access of digital financial data. 10. The Saudi Ant-Cyber Crime Law covers both personal and enterprise Security وزارة التعليم True False

2 Explain how standardization of cybersecurity laws benefits businesses and organizations. 3 Analyze two subcategories of Cloud Cybersecurity.Control guidelines. مرارة التعليم 109

110 Evaluate the implications of not adhering to cybersecurity laws and regulations. Define the Anti-Cyber Crime Law in Saudi Arabia. وزارة التعليم

6 Search the Internet for the ECC controls and list the main controls for a cybersecurity awareness and training program. 7 Evaluate the implications of the GDPR for businesses operating across borders. وزارة التعليم 419 m