What services does SKYLINE provide?

We provide specialized divisions including: Data Centre Design & Build (Tier III/IV), Cybersecurity SOC/NOC Operations, SCADA & Automation, Fire Safety, Construction, HVAC, AI Solutions, Server Infrastructure with HPE & Dell, and Software Development.

Does SKYLINE design and build data centres?

Yes, we specialize in Tier III and Tier IV data centre design and construction including electrical infrastructure, precision cooling, raised flooring, fire suppression, and Schneider Electric UPS systems. All our projects are SACS-002 compliant and trusted by major clients like Saudi Aramco and SABIC.

Where is SKYLINE located?

Our headquarters is in Dammam, Eastern Province, Saudi Arabia. We serve all regions of Saudi Arabia and GCC countries including Riyadh, Jeddah, Khobar, Dhahran, and Jubail.

What compliance certifications does SKYLINE hold?

We comply with NCA-ECC (Essential Cybersecurity Controls), SACS-002 (Saudi Communications Standards for Data Centres), ISO 27001 (Information Security Management), and SAMA Cybersecurity Framework.

What experience does SKYLINE have in the Saudi market?

SKYLINE was founded in 2019 with 6+ years of experience, has completed 15+ mega projects including the FIFA Club World Cup, and serves 200+ clients including Saudi Aramco, SABIC, Maaden, and STC.

SKYLINE Industrial & IT Solutions

A practitioner-grade walk-through of SAMA Cyber Security Framework — Full Bank Compliance Roadmap. Scope, controls, implementation phases and audit-ready evidence — with sample policies and configs you can adapt for SAMA Banking Compliance.

SKYLINE Engineering @skyline

Published: Jan 29, 2026
Last updated: May 28, 2026
Reading time: 4 min

Compliance Cybersecurity Saudi Arabia Ksa Banking Sama Csf

Overview

The SAMA Cyber Security Framework (CSF v1.0) is the Saudi Central Bank's binding cybersecurity standard for every member organisation — licensed banks, finance companies, insurance providers and payment service providers. CSF is enforced through annual self-assessment plus an independent assessment every two years. Banks operating under CSF must reach Maturity Level 3 (Structured & Formalised) within 18 months of licensing and Level 4 (Effective & Operating) within three years.

Who this applies to

Domestic and foreign-branch banks operating in KSA.
Finance companies licensed by SAMA.
Insurance and reinsurance companies licensed by SAMA.
Payment service providers and FinTech licensed by SAMA.

Key domains

CSF defines 4 domains subdivided into 11 sub-domains with 118 controls:

Cybersecurity Leadership and Governance (1-x): board responsibility, CISO role, policies, risk management.
Cybersecurity Risk Management and Compliance (2-x): risk methodology, regulatory compliance, audit.
Cybersecurity Operations and Technology (3-x): identity & access, application security, infrastructure security, cryptography, BYOD, secure disposal, payment systems, electronic banking, electronic-banking customer authentication.
Third-Party Cybersecurity (4-x): outsourcing, supplier risk, cloud.

12-month implementation timeline

Month 1-2  | Gap analysis + board briefing
Month 3-4  | Policy library v1; CISO appointment; risk methodology
Month 5-6  | Technical baselines; IAM redesign; PAM rollout
Month 7-8  | SOC build-out; SIEM go-live; IR run-books
Month 9-10 | Application security programme; secure SDLC
Month 11   | Internal audit dry-run; remediation
Month 12   | Independent assessment + SAMA submission

Step 1: Governance

Board-level Cyber Risk Committee meeting quarterly with minutes.
CISO direct line to CEO and to the Risk Committee.
Approved 3-year cybersecurity strategy with annual review.
Annual budget line item ring-fenced.

Step 2: Risk methodology

CSF expects a risk methodology aligned with ISO 31000 / ISO 27005. Required artefacts:

Risk taxonomy (threats, vulnerabilities, assets).
Risk-rating scale with explicit board-approved thresholds.
Quarterly risk register update.
Independent risk function reporting to the Risk Committee.

Step 3: Operational technical baselines

| Sub-domain | Minimum control | |---|---| | 3-3 IAM | SSO + adaptive MFA + privileged access manager (CyberArk / Delinea / open-source HashiCorp Vault) | | 3-4 App Security | Secure SDLC + SAST + DAST + threat modelling for every new release | | 3-5 Infrastructure | Hardened gold images, patching SLA P1=7d / P2=30d / P3=90d | | 3-6 Cryptography | FIPS 140-2 Level 3 HSM for payment keys, TLS 1.2+ everywhere | | 3-8 Payment Systems | PCI DSS compliance + dedicated payment-zone segregation | | 3-9 E-Banking | Strong customer authentication (SCA), transaction signing |

Sample HSM-backed key policy:

key: card_issuance_dek
algorithm: AES-256
storage: Thales Luna 7 HSM (Riyadh + Dammam dual-site)
rotation: every 12 months
custodians: 3 (2-of-3 quorum)
export: PERMANENTLY DISALLOWED
audit: every operation logged to immutable WORM store, retained 7 years

Step 4: Application security for digital channels

CSF 3-4 requires:

Threat modelling using STRIDE for every major release.
SAST tooling integrated into CI (SonarQube + Semgrep + Snyk).
DAST tooling running against staging weekly (OWASP ZAP / Burp Suite).
Annual independent penetration test of customer-facing channels.
Web Application Firewall in front of every digital banking app.
Bot management for credential stuffing.

Step 5: Customer authentication

All retail customers: SCA via SMS OTP + push notification, with TOTP fallback.
High-value transfers: transaction signing with the bank's own app.
Login from a new device triggers step-up authentication.
Behavioural-biometric and device-fingerprinting passively analysed.

Step 6: Third-party and outsourcing

CSF 4-x requires:

Risk-tier every vendor: critical / important / standard.
Critical vendors: annual on-site assessment, financial-health check.
Cloud contracts approved by SAMA (per the Cloud Computing Rulebook).
Exit plan documented for every critical outsourcing.

Common gotchas

"We outsource cybersecurity to our MSSP" — SAMA holds the bank accountable, not the MSSP.
PCI DSS compliance assumed to cover all of CSF — CSF goes further on governance, BCM and customer authentication.
HSM keys exportable for "convenience" — automatic Critical finding.
Annual internal audit covering only IT, not the business processes — fails 2-3.

Verification — audit-ready evidence

Board-approved cybersecurity strategy + annual review minutes.
Risk register reviewed quarterly.
Patching SLA dashboard.
Pen-test report dated within 12 months + retest evidence.
PAM tool inventory: 100% privileged accounts vaulted.
SAMA self-assessment workbook completed annually.

Conclusion

CSF turns cybersecurity into a business risk with board ownership. The CISO is the accountable executive, but the board is on the hook. Build the programme so the board can defend it to SAMA without paraphrasing.

Related guides

SKYLINE Engineering

@skyline

The engineering team at SKYLINE Industrial Solutions. We publish field-tested guides drawn from real KSA and GCC deployments.

See author profile

SKYLINE engineering services

Need this implemented for you?

Reading is free — building it right takes a team. SKYLINE engineers ship SAMA Banking Compliance for Aramco vendors, banks, hospitals and government agencies across Saudi Arabia. Talk to us before you start.

Cybersecurity & Data Centre SACS-210, NCA ECC, SOC, 24/7 ops ZATCA & Financial Centre Phase-2 e-invoicing, FATOORA integration, GL controls

Talk to a SKYLINE engineer WhatsApp · +966 50 993 9334 Call +966 50 993 9334

Aramco Approved Contractor ISO 9001 · ISO 27001 SAMA CSF aligned NCA ECC ready 247+ KSA clients

Comments

0 total · 0 threads

Be the first to leave a comment.