What services does SKYLINE provide?

We provide specialized divisions including: Data Centre Design & Build (Tier III/IV), Cybersecurity SOC/NOC Operations, SCADA & Automation, Fire Safety, Construction, HVAC, AI Solutions, Server Infrastructure with HPE & Dell, and Software Development.

Does SKYLINE design and build data centres?

Yes, we specialize in Tier III and Tier IV data centre design and construction including electrical infrastructure, precision cooling, raised flooring, fire suppression, and Schneider Electric UPS systems. All our projects are SACS-002 compliant and trusted by major clients like Saudi Aramco and SABIC.

Where is SKYLINE located?

Our headquarters is in Dammam, Eastern Province, Saudi Arabia. We serve all regions of Saudi Arabia and GCC countries including Riyadh, Jeddah, Khobar, Dhahran, and Jubail.

What compliance certifications does SKYLINE hold?

We comply with NCA-ECC (Essential Cybersecurity Controls), SACS-002 (Saudi Communications Standards for Data Centres), ISO 27001 (Information Security Management), and SAMA Cybersecurity Framework.

What experience does SKYLINE have in the Saudi market?

SKYLINE was founded in 2019 with 6+ years of experience, has completed 15+ mega projects including the FIFA Club World Cup, and serves 200+ clients including Saudi Aramco, SABIC, Maaden, and STC.

SKYLINE Industrial & IT Solutions

A practitioner-grade walk-through of SAMA Cyber Security Maturity Assessment — Move From Level 2 to Level 4. Scope, controls, implementation phases and audit-ready evidence — with sample policies and configs you can adapt for SAMA Banking Compliance.

SKYLINE Engineering @skyline

Published: Jan 13, 2026
Last updated: May 28, 2026
Reading time: 4 min

Overview

SAMA scores its member organisations using a 5-level maturity model ranging from Level 0 (not implemented) to Level 4 (effective and continuously improving). To remain in good standing a bank must reach Level 3 within 18 months of licensing and Level 4 within three years. Most banks plateau at Level 2-3 because they confuse documentation with execution. This guide explains the difference and how to push from Level 2 to Level 4.

Who this applies to

Every SAMA-licensed financial institution.
Internal Audit teams running the self-assessment.
CISOs answering for their gap closure plan.

The five maturity levels

| Level | Label | Hallmark | |---|---|---| | 0 | Not Implemented | Control absent or unknown. | | 1 | Ad Hoc | Practised inconsistently, not documented. | | 2 | Repeatable but Informal | Documented, performed, but lacks formal oversight or metrics. | | 3 | Structured & Formalised | Approved policy, role assignments, evidence trail, KPIs. | | 4 | Effective & Operating | Continuous monitoring, periodic improvement, board oversight. |

Where Level 2 organisations get stuck

Common Level 2 anti-patterns:

The CISO does the heroics; the rest of the bank does not feel the controls.
Policies exist but are not reviewed annually.
Risk register exists but rarely updated.
Incident response is verbal — the run-book only lives in one person's head.
KPIs are compiled monthly by hand.
Internal audit picks the same five controls every year.

Step 1: Establish ownership beyond the CISO

Map every control to:

Owner — the executive accountable for the control's outcome.
Operator — the person executing it.
Reviewer — the assurance function checking it.
Approver — the policy approver.

If any column says "CISO" for more than 20 controls, you are still at Level 2.

Step 2: Cadence over heroics

Every Level 3+ control has a documented cadence: daily, weekly, monthly, quarterly. Sample for IAM:

control: 3-3-1 Identity & Access Management
cadence:
  daily:    auto-deprovision dormant >45 days
  weekly:   shared-mailbox & service-account reconciliation
  monthly:  privileged-access certifications by line manager
  quarterly: full-population access review + KPI report to CRO
  annually: identity-strategy refresh, IAM tooling roadmap
metrics:
  - dormant accounts at end of month                  (target ≤ 0)
  - privileged accounts not in vault                  (target = 0)
  - access reviews completed on time                  (target ≥ 95%)
  - service accounts with interactive logon enabled    (target = 0)

Step 3: Automate KPI collection

A Level 4 organisation does not manually count anything monthly. KPIs flow from:

SIEM (incidents, alerts, MTTD, MTTR).
PAM (privileged accounts, vault coverage).
IAM (dormant, joiner-mover-leaver SLA).
Vulnerability scanner (open vulns per severity, SLA compliance).
EDR (endpoint coverage).
DLP (events, false-positive rate).

Build a single dashboard refreshed nightly.

Step 4: Closed-loop improvement

Every quarterly KPI review must produce:

One Risk Treatment Plan update.
One internal audit referral if a metric trends down for 2 quarters.
One process improvement actioned and tracked to completion.

This is what separates "documented" (Level 3) from "improving" (Level 4).

Step 5: Independent challenge

For Level 4 SAMA expects:

Internal audit covers 25% of controls annually with deep substantive tests.
Independent assessment (external) every 2 years.
Red-team exercise annually with the findings retested.
Board reviews the cybersecurity dashboard quarterly and challenges trends.

Step 6: Culture

Level 4 has cybersecurity built into the way business operates:

Every new product launch passes a cyber sign-off before go-live.
Every M&A integration includes a cyber due-diligence stream.
Every change request carries a cyber-impact statement.
Phishing simulation click rate is below 4% across the bank.

Common gotchas

Inflated self-assessment — when challenged the bank cannot show evidence. Independent assessment reduces the score by an average of 0.6 levels.
Documentation tornado — 1,000-page policy library that nobody reads.
KPI dashboard that nobody owns — gets stale within two quarters.

Verification

Control ownership matrix.
KPI dashboard refreshed nightly.
Quarterly cyber-dashboard pack to the Risk Committee.
Internal audit annual coverage report.
Phishing simulation results trending downward.
External assessment within last 24 months.

Conclusion

The jump from Level 2 to Level 4 is organisational, not technical. Spread ownership, automate the metrics, force closed-loop improvement, and let independent assurance pressure-test the result. Level 4 is repeatable; not heroic.

Related guides

SKYLINE Engineering

@skyline

The engineering team at SKYLINE Industrial Solutions. We publish field-tested guides drawn from real KSA and GCC deployments.

See author profile

SKYLINE engineering services

Need this implemented for you?

Reading is free — building it right takes a team. SKYLINE engineers ship SAMA Banking Compliance for Aramco vendors, banks, hospitals and government agencies across Saudi Arabia. Talk to us before you start.

Cybersecurity & Data Centre SACS-210, NCA ECC, SOC, 24/7 ops ZATCA & Financial Centre Phase-2 e-invoicing, FATOORA integration, GL controls

Talk to a SKYLINE engineer WhatsApp · +966 50 993 9334 Call +966 50 993 9334

Aramco Approved Contractor ISO 9001 · ISO 27001 SAMA CSF aligned NCA ECC ready 247+ KSA clients

Comments

0 total · 0 threads

Be the first to leave a comment.