What services does SKYLINE provide?

We provide specialized divisions including: Data Centre Design & Build (Tier III/IV), Cybersecurity SOC/NOC Operations, SCADA & Automation, Fire Safety, Construction, HVAC, AI Solutions, Server Infrastructure with HPE & Dell, and Software Development.

Does SKYLINE design and build data centres?

Yes, we specialize in Tier III and Tier IV data centre design and construction including electrical infrastructure, precision cooling, raised flooring, fire suppression, and Schneider Electric UPS systems. All our projects are SACS-002 compliant and trusted by major clients like Saudi Aramco and SABIC.

Where is SKYLINE located?

Our headquarters is in Dammam, Eastern Province, Saudi Arabia. We serve all regions of Saudi Arabia and GCC countries including Riyadh, Jeddah, Khobar, Dhahran, and Jubail.

What compliance certifications does SKYLINE hold?

We comply with NCA-ECC (Essential Cybersecurity Controls), SACS-002 (Saudi Communications Standards for Data Centres), ISO 27001 (Information Security Management), and SAMA Cybersecurity Framework.

What experience does SKYLINE have in the Saudi market?

SKYLINE was founded in 2019 with 6+ years of experience, has completed 15+ mega projects including the FIFA Club World Cup, and serves 200+ clients including Saudi Aramco, SABIC, Maaden, and STC.

SKYLINE Industrial & IT Solutions

A practitioner-grade walk-through of NCA TCC — Telework Cybersecurity Controls for a Remote Workforce. Scope, controls, implementation phases and audit-ready evidence — with sample policies and configs you can adapt for NCA Frameworks.

SKYLINE Engineering @skyline

Published: Feb 13, 2026
Last updated: May 28, 2026
Reading time: 4 min

Ksa Nca Tcc Telework Remote Work Vpn Zero Trust

Overview

The Telework Cybersecurity Controls (TCC-1:2021) regulate any work performed from outside the organisation's physical premises — home office, hotel, customer site or any device that is not a permanently corporate-managed endpoint inside the corporate LAN. TCC is a binding extension of ECC and applies the moment an entity allows even one employee to access corporate systems remotely.

Who this applies to

Every entity already subject to ECC.
Every contractor accessing the entity's systems remotely.
Bring-your-own-device (BYOD) is discouraged for Restricted data; if permitted, additional containerisation controls apply.

Key control areas

TCC adds 22 controls layered on top of ECC, grouped as:

Remote-access governance — telework policy, manager approval per employee.
Endpoint requirements — managed by MDM, full-disk encryption, EDR, OS up-to-date.
Network controls — VPN with MFA, ZTNA, anti-DNS-leak, no split-tunnel for Restricted data.
Data protection — DLP on email, removable-media controls, screen-share recording forbidden.
Monitoring — log every remote session, alert on geolocation anomalies.

Step 1: Telework policy

Document and have signed by every teleworking employee:

TELEWORK ACCEPTABLE-USE POLICY
1. I shall only use a corporate-managed device or an enrolled BYOD container.
2. I shall connect to corporate systems via the corporate VPN/ZTNA gateway only.
3. I shall enforce screen-lock at 5 minutes idle.
4. I shall not print Restricted data at home.
5. I shall not allow family members to use my work device.
6. I shall report a lost or stolen device within 1 hour.
7. I accept that all sessions are logged.

Step 2: Endpoint baseline

Required on every teleworking device:

Disk encryption (BitLocker / FileVault / LUKS).
EDR with cloud telemetry (Defender for Endpoint / Crowdstrike / Wazuh + Sysmon).
Auto-update enforced and proven via MDM.
Local administrator restricted to a vaulted account.
USB mass-storage blocked unless explicitly enabled by the security team.

# Intune Compliance Policy snippet
deviceCompliancePolicy:
  bitLockerEnabled: true
  defenderEnabled: true
  passwordRequired: true
  passwordMinimumLength: 14
  passwordRequiredType: alphanumericWithSymbol
  osMinimumVersion: "10.0.19045"
  storageRequireEncryption: true

Step 3: ZTNA or VPN with MFA

Plain VPN concentrators with a username/password are non-compliant. Either:

VPN + MFA + device posture check (Cisco AnyConnect with HostScan, OpenVPN + Duo + Wazuh agent attestation), or
ZTNA broker (Cloudflare Access, Zscaler ZPA, Twingate, Pomerium / OPA-based open-source) with per-application policy.

Sample Pomerium / OPA policy:

- from: https://hrm.intranet.example.sa
  to: http://hrm-internal.local
  policy:
    - allow:
        and:
          - email:
              is: "*@example.sa"
          - device:
              approved: true
          - claim:
              groups: ["hrm-users"]
          - geo:
              country: SA

Step 4: DLP and data containment

Outlook / O365 DLP rules block sending Restricted-classified labels to non-corporate domains.
Browser isolation for any third-party SaaS that handles Restricted data.
Cloud-storage sync (OneDrive, Google Drive) limited to corporate tenant only.
Screen recording and screenshots blocked at the application level for Top Secret / Secret.

Step 5: Monitoring

Every remote-access session logged with: user, device ID, source IP, geolocation, session start/end, bytes transferred, applications accessed.

Sample SIEM rule:

rule "TCC: Impossible travel"
  when
    auth.user same in 2 events
    auth.event_time_delta < 4h
    auth.geo_country differs
    auth.geo_distance_km > 1000
  then
    severity: high
    alert: "Telework geolocation anomaly"

Common gotchas

VPN split-tunnel allowing corporate traffic to bypass DLP.
BYOD without MDM enrolment — endpoint compliance unverifiable.
Family member uses the corporate laptop — automatic violation.
Remote-access logs kept only for 30 days — TCC requires 12 months minimum.

Verification — audit-ready evidence

Signed telework policy for every teleworking employee.
MDM compliance report per device.
VPN/ZTNA configuration with MFA and posture-check screenshots.
Sample of 30 remote-session logs with full attributes.
DLP rule catalogue with effective dates.

Conclusion

TCC reframes remote work as a device-and-identity problem rather than a network-perimeter problem. Make the policy human, make the enforcement automated, and audit both quarterly.

Related guides

SKYLINE Engineering

@skyline

The engineering team at SKYLINE Industrial Solutions. We publish field-tested guides drawn from real KSA and GCC deployments.

See author profile

SKYLINE engineering services

Need this implemented for you?

Reading is free — building it right takes a team. SKYLINE engineers ship NCA Frameworks for Aramco vendors, banks, hospitals and government agencies across Saudi Arabia. Talk to us before you start.

Cybersecurity & Data Centre SACS-210, NCA ECC, SOC, 24/7 ops SACS-210 Aramco Compliance Third-party readiness, audit prep, ICV+CCC

Talk to a SKYLINE engineer WhatsApp · +966 50 993 9334 Call +966 50 993 9334

Aramco Approved Contractor ISO 9001 · ISO 27001 SAMA CSF aligned NCA ECC ready 247+ KSA clients

Comments

0 total · 0 threads

Be the first to leave a comment.