Third Party Cybersecurity Controls

Guideline
12/7/2022

Saudi Aramco: Company General Use

 Table of Contents
• Objective ............................................................................................................................................. 2
• Cybersecurity Controls’ Requirement ............................................................................................ 2
1. General Requirements................................................................................................................... 2
2. Specific Requirements ................................................................................................................... 6

Page 1 of 17

Saudi Aramco: Company General Use

 • Objective
The objective of Third Party Cybersecurity Compliance Certification Program is to ensure all
third parties adherence to the cybersecurity requirements in SACS-002 Third Party
Cybersecurity Standard by obtaining a Cybersecurity Compliance Certification form an
Authorized Audit Firm. This manual will provide the third party with the required guidance to
fulfill the cybersecurity controls’ requirements for each control. This will ensure that
supported, required and comprehensive evidences are provided part of the third party
compliance package that will be submitted to authorized audit firm.

Cybersecurity Controls’ Requirement

The cybersecurity controls guidance document must be used as a reference to ensure unified
expectations for the evidences to be provided for each cybersecurity control. The guideline
must be utilized for remote assessments where third parties must provide a comprehensive
assessment package in accordance to all the controls’ requirements stated in this document.
Moreover, this guideline can be used for on-site assessments where audit firms can verify the
evidences against each control’s requirements. In case of inapplicability, third party must fill
the inapplicability form with required justifications for each inapplicable control.

1. General Requirements

Control Control Statement Controls’ Requirements

#
TPC-1 Third Party must establish, maintain and - Provide a copy of approved (AUP)
communicate a Cybersecurity Acceptable - Provide sample of communication regarding sharing
Use Policy (AUP) governing the use of Third (AUP) to employees
Party Technology Assets. - Provide different versions of approved and
communicated AUP, that shows different releases and
updates
TPC-2 Password protection measures must be - Provide technical check evidence to confirm the
enforced by the Third Party. The following compliance of the control requirements.
are recommended measures: - Provide evidence of the password configuration on
- Minimum length: 8 alphanumeric Active directory to ensure that default settings are not
characters and special characters. used. If active directory does not exist, provide
- History: last 12 passwords evidences from the local password policy on sample
- Maximum age: 90 days for login systems.
authentication - Provide a copy of password policy that should comply
- Account lockout threshold: 10 invalid login with the control requirements and technical check
attempts. findings.
- Screen saver settings: automatically locked
within 15 minutes of inactivity.
TPC-3 Third party must not write down, - Provide a copy of password disclosure policy
electronically store in clear text, or disclose - Provide a copy of actions taken in case password
any password or authentication code that is disclosure happened part of the consequence
used to access Assets or Critical Facilities. management

Page 2 of 17

Saudi Aramco: Company General Use

 Control Control Statement Controls’ Requirements
#
TPC-4 Multi-factor authentication must be - Provide technical check evidence to confirm that
enforced on all remote access, including strong authentication is in place on remote users’
access from the Internet, to Third Party access (e.g., multifactor) a clear evidence of the
Company computing resources. Authentication page must be provided.
- Provide policies and procedures related to remote
users' access policy part of the third party access
control policy.

TPC-5 Multi-factor authentication must be - Provide technical check evidence to confirm that
enforced on all access to Cloud services strong authentication is in place on cloud access (e.g.,
utilized by the Third Party, including access multifactor) a clear evidence of the Authentication
to cloud-based email. page must be provided.
- Provide policies and procedures related to cloud
security policy part of the third party access control
policy.

TPC-6 Third Party must inform Saudi Aramco when - Provide the third party policy/contract in term of
employees provided with Saudi Aramco user dealing with Saudi Aramco credentials.
credentials no longer need their access, or - Provide a sample of communication (Email) to Saudi
are transferred, re-assigned, retired, Aramco to revoke invalid accounts.
resigned or no longer associated with the - Provide evidence for revoked accounts that are invalid
Third Party. accounts for people who are retired, resigned or no
longer associated with the Third Party.
TPC-7 Third Party must require all information - Provide acceptable use policy and/or training
systems users to take a yearly mandatory materials to ensure content is adequate.
Cybersecurity training that addresses - Provide user training reports and/or documentation
acceptable use and good computing to ensure users are trained in accordance with
practices. Training must address the applicable policy, guidance, and/or requirement (e.g.,
following topics: annual cybersecurity training of all employees).
1. Internet and social media security - Provide evidences of updating the training materials
2. Cybersecurity Acceptable Use based on changes in cyber threat environment.
3. Social Engineering and phishing emails
4. Sharing credentials (i.e. username and
password)
5. Data Security
TPC-8 Third Party must inform personnel, in - Provide Third Party Company Policy and contract of
keeping with Third Party Company Policy, using personal email.
that using personal email to share and - Provide the Third Party policy / contract ensure third
transmit Saudi Aramco data is strictly parties are complying with cybersecurity
prohibited. responsibilities defined in contracts and agreements.
-Provide related emails communicated to third party’s
employees to ensure the compliance of this control.
- Provide relevant counter measure that third party has
taken to comply with the control requirements.

Page 3 of 17

Saudi Aramco: Company General Use

 Control Control Statement Controls’ Requirements
#
TPC-9 Third Party must inform personnel, in - Provide Third Party policy including contracts and
keeping with Third Party Company Policy, agreements that highlight the prohibited disclosure of
that disclosing Saudi Aramco policies, Aramco related data.
procedures and standards or any type of -Provide related emails communicated to third party’s
data with unauthorized entities or on the employees to ensure the compliance of this control
Internet is strictly prohibited. - Provide relevant counter measure that third party has
taken in case of disclosing Saudi Aramco Data
TPC-10 All Third Party Technology Assets and - Provide evidence of related assets management policy
Systems must be password protected. that define Technology assets’ protection.
-Provide evidence of related policy for all third party
systems to be password protected.

TPC-11 Third Party Technology Assets and Systems - Provide evidence of patch management policy and
must be regularly updated with operating procedures
system (OS), software and applets patches - Provide evidence of on sample of workstations to
(i.e. Adobe, Flash, Java etc.) ensure that OS and software are up-to-date
- Provide evidence of scheduling and technology used
for patch and updates deployment.
TPC-12 Third Party Technology Assets must be - Provide evidence of the anti-virus installed on
protected with anti-virus (AV) software. endpoint devices
Updates must be applied daily, and full - Provide evidence of configuration console of the
system scans must be performed every two installed anti-virus software to determine the last
weeks. updates and full system scan that were performed
- Provide evidence of the history of updates
TPC-13 Third party must implement Sender Policy - Provide evidence of SPF implementation on the third
Framework (SPF) technology on the mail party mail server.
server.
TPC-14 Third party must enforce Sender Policy - Provide evidence of SPF enforcement on Saudi
Framework (SPF) feature on Saudi Aramco Aramco email domains: Aramco.com and
email domains: Aramco.com and Aramco.com.sa.
Aramco.com.sa.
TPC-15 Third Party must publish SPF record in DNS - Provide evidence of SPF record on the third party DNS
server. server.
TPC-16 Third Party must inspect all incoming emails - Provide evidence of using an anti-spam protection for
originating from the Internet using anti- all incoming emails on the email security appliance.
spam protection.
TPC-17 Third Party must use a private email domain. - Provide evidence of the third party acceptable use
Generic domains, such as Gmail and policy (AUP) that highlights the use of the third party
Hotmail, must not be used. private email domain only and prohibit the use of
generic domains.
TPC-18 Third Party must have formal procedures for - Provide evidence of the third party termination
off-boarding employees. Off-boarding procedures to determine whether accounts/access are
procedures must include the return of disabled in a timely manner.
assets, and removal of all associated access. -Provide evidence of the return of assets.
- Provide samples of the removal of all access to Assets
part of the third party Off-boarding procedures.

Page 4 of 17

Saudi Aramco: Company General Use

 Control Control Statement Controls’ Requirements
#
TPC-19 Assets used to process or store Saudi - Provide evidence of the third party sanitization (data
Aramco data and information must be destruction) policies.
sanitized by the end of the Data Life Cycle, - Provide evidence of sanitization techniques and
or by the end of the retention period as procedures are commensurate with the security
stated in the Contract, if defined. This category or classification of the information or asset
includes all data copies such as backup and in accordance with organizational standards and
copies created at any Third Party policies.
site(s).Third party shall certify in writing to - Provide proof (e.g., destruction certificates) that
Saudi Aramco that the data sanitization has media sanitization is occurring according to policy
been completed.
TPC-20 Third Party must obtain a Cybersecurity - Saudi Aramco third parties must obtain a
Compliance Certificate (CCC) from Saudi Cybersecurity Compliance Certificate (CCC) from Saudi
Aramco authorized audit firms in accordance Aramco authorized audit firms, which provides the
to the third-party classification requirements adherence to this standard.
set forth in this Standard (Section II). Third -In case CCC has been previously obtained, an evidence
Parties must submit the CCC to Saudi of certificate submission should be provided.
Aramco through the Saudi Aramco e-
Marketplace system.
TPC-21 Third Party must renew the CCC every two - Saudi Aramco third parties must renew the CCC every
(2) years. two (2) years as per the standard requirements.
-A copy of latest CCC obtained needs to be provided.
TPC-22 Firewalls must be configured and enabled on - Provide evidence of the firewall setting for all third
endpoint devices. party endpoint devices including related policies for
enabling firewalls.
- Provide evidence of the firewall being enabled on
domain, public and private firewall settings on sample
of third party endpoint devices.

TPC-23 If Third Party discovers a Cybersecurity - Provide evidence of the third party cybersecurity
Incident, Third Party must (besides its Incident management policies and procedures that
continuous efforts to resolve and mitigate conform with the requirements of this control.
the Incident):
- Notify SAUDI ARAMCO within two (24)
hours of discovering the Incident
- Follow the Cybersecurity Incident Response
Instructions set forth in Appendix A.

Page 5 of 17

Saudi Aramco: Company General Use

 2. Specific Requirements

Control Control Statement Controls’ Requirements

#
TPC-24 Third Party must have policies and processes - Provide evidence of the third party data classification
to classify information in terms of its value, policy
criticality and confidentiality. - Provide evidence of the third party Data Classification
program that cover all key resources (e.g., hardware,
devices, data, software) are classified based on risk

TPC-25 Third Party must establish, maintain and - Provide evidence of the third party Cybersecurity
communicate Cybersecurity Policies and Policies and Standards.
Standards. - Provide evidence of communicating Cybersecurity
Policies to employees.
- Provide different policy updates versions
TPC-26 Third Party must be staffed by employee(s) - Provide a copy of the organizational chart.
whose primary responsibility is - Provide evidence of job descriptions, agreements,
Cybersecurity. Responsibilities of that RACI charts, service level agreements (SLAs) and/or
personnel must include maintaining the contracts to determine if they include cybersecurity
security of information systems and ensuring roles and responsibilities.
compliance with existing policies.
TPC-27 Third Party must conduct annual external - Provide evidence of Penetration testing reports
Penetration Testing on its IT infrastructure conducted and analyzed on IT infrastructure
systems, and internet facing applications. considering all critical, internal and external systems,
and internet facing applications.
- Provide evidence of a policy tackling penetration test
schedule, scope and requirements exist and
communicated to stakeholders
- Provide evidence of remediation and action plan
related to penetration test results.
TPC-28 Third Party must conduct annual external - Provide evidence of Penetration testing reports
Penetration Testing on Cloud Computing conducted on Cloud Computing Service(s) used by
Service(s) used by Saudi Aramco. Saudi Aramco.
- Provide evidence of a policy tackling penetration test
schedule, scope and requirements exist and
communicated to stakeholders
- Provide evidence of remediation and action plan
related to penetration test results.
TPC-29 If Third Party is hosting a website for Saudi - Provide evidence of Penetration testing reports
Aramco, annual Penetration Testing must be conducted to test website security.
conducted to test website security. - Provide evidence of a policy tackling penetration test
schedule, scope and requirements exist and
communicated to stakeholders
- Provide evidence of remediation and action plan
related to penetration test results.
TPC-30 Third party data center must be certified by -Provide evidence of data center certificate from
an internationally-recognized authority. internationally-recognized authority.

Page 6 of 17

Saudi Aramco: Company General Use

 Control Control Statement Controls’ Requirements
#
TPC-31 Third Party must have a process to conduct - Provide evidence of the framework or process used
Cybersecurity Risk Assessment on regular for risk management. Consider the following.
basis, to identify, assess and remediate Risks - Provide evidence of the organization's risk
to data and information systems. management plan showing the organization's response
to risk levels
- Provide evidence of risk register
- Provide evidence of risk management plan that is
designed to accept or reduce risk level in accordance
with the organization's risk appetite/ tolerance.
TPC-32 Users accessing applications and information - Provide evidence of access management policy that
systems must be issued unique user logins shows the requirement of using unique accounts.
and passwords. Generic accounts must not - Test sample of servers/ systems to determine if
be allowed, unless explicitly approved, unique account is used for on-site assessment.
restricted and controlled.
TPC-33 User access to the operating system, - Provide evidence of access management policy.
applications and database must be reviewed - Provide evidence of user access profiles are
on a semiannual basis to determine if consistent with their job functions (based on least
accessing personnel still require such access. privilege).
- Provide evidence of role-based access controls are
implemented (e.g., roles vs. users are assigned access
rights).
- Provide evidence that ensure excessive permission
are not granted.
TPC-34 All privileged accounts must be limited, - Provide evidence of a policy that shows the
justified and reviewed on regular basis. procedure of obtaining and revoking the admin
privileges based on the job requirements/ function
- Provide evidence of the third party process to identify
privileged users.
- Provide evidence of privileged accounts reviewed
regularly.
TPC-35 Remote administrative access from the - Provide evidence of policies and procedures related
Internet must not be allowed, unless to remote users' access capabilities are explicitly
explicitly approved, restricted and approved, restricted and controlled. Consider that
controlled. remote connections are only opened as required and
remote connections are encrypted.
TPC-36 Network connections to information systems - Provide evidence of policies and procedures related
and applications at the Third Parties location to remote users' access capabilities are formalized.
must be authorized and monitored. Consider that remote users (e.g., employees,
contractors, third parties) with access to critical
systems are approved and documented and remote
connections are logged and monitored.

Page 7 of 17

Saudi Aramco: Company General Use

 Control Control Statement Controls’ Requirements
#
TPC-37 Multi-factor authentication must be - Provide evidence of policies enforcing the use of
enforced on all privileged accounts access Multi-factor authentication on all privileged accounts
including remote access to information access including remote access to information systems
systems and applications. and applications.
- Provide evidence of Multi-factor authentication page
and configuration console.
TPC-38 Third Party must logically (e.g. partitioning a - Provide evidence of logical segregation on physical
physical drive) and/or physically segregate drives use to store Saudi Aramco data.
data-at-rest related to Saudi Aramco from - Provide evidence of physical segregation including
the data of other clients or customers. dedicated data room/ files for Saudi Aramco data.
- Provide evidence of Third Party Policy of treating third
party data including Saudi Aramco.
TPC-39 Saudi Aramco Critical Data documents must - Provide evidence of Saudi Aramco Critical Data
only be shared with limited individuals who documents are classified and differentiated from other
are part of the work specified in the critical data.
Contract. - Provide evidence of Third Party Policy of sharing Saudi
Aramco data.
TPC-40 Servers and workstations subnets must be - Provide evidence of server and workstation subnets
segmented and access between them is are segmented.
restricted and monitored. - Provide evidence of a range of subnets assigned on
different assets
- Provide evidence of monitoring the segmentation.
TPC-41 Servers accessible from the Internet must be - Provide evidence of high-value/critical systems are
placed in a DMZ (i.e. perimeter network) separated from high-risk systems (e.g., VLAN, DMZ,
with restricted access to internal subnets. hard backups, air-gapping) where possible.
- Provide evidence of network diagrams and data flow
diagrams.
- Provide evidence of monitoring the traffic travels
between different DMZ zone and internal subnets.
TPC-42 Wireless networks accessing information - Provide evidence of access point configuration.
systems must use strong encryption for - Provide evidence of Wireless baseline details.
authentication and transmission, such as
WPA2 or WPA2 Enterprise.
TPC-43 Third Party data center must have the -Provide evidence of data center tier rating.
required tier rating and high-availability of -Provide evidence of and high-availability of service fail
service fail over as determined by Saudi over.
Aramco

Page 8 of 17

Saudi Aramco: Company General Use

 Control Control Statement Controls’ Requirements
#
TPC-44 Multi-Factor authentication must be - Provide technical check evidence to confirm that
enforced on Saudi Aramco users accessing strong authentication is in place on Saudi Aramco users
Cloud Service Provider's Public Cloud accessing Cloud Service Provider's, Public Cloud
Computing Service storing or hosting Saudi Computing Service storing or hosting Saudi Aramco
Aramco Critical Data. Critical Data. (e.g., multifactor)
- A clear evidence of the Authentication page must be
provided.
- Provide policies and procedures related to cloud
security policy part of access control policy.

TPC-45 Multi-Factor authentication must be - Provide technical check evidence to confirm that
enforced on end-users accessing Content strong authentication is in place on Content
Management Services (CMS) of Cloud Management Services (CMS) of Cloud Computing
Computing Service Service (e.g., multifactor)
- A clear evidence of the Authentication page must be
provided.
- Provide policies and procedures related to cloud
security policy part of access control policy.

TPC-46 All systems (routers, switches, servers and - Provide evidence of Physical security controls are
firewalls) must be housed in a used to prevent unauthorized access to
communication room and locked rack(s). The telecommunication systems.
access to the communication room must be - Provide evidence of access is restricted to authorized
contingent on security requirements such as people.
access card readers or biometric devices.
TPC-47 Third party must define a process for visitor - Provide evidence of the third party visitor
management. The process should include management policy
maintaining and regularly reviewing visitor
logs. The visitor log should capture - Provide evidence of visitor logs, including the
information such as: following:
- Visitor identification e.g. Government ID - Visitor Government ID
- Visit Purpose - Visit Purpose
- Check in/check out date and time - Check in/check out date and time
TPC-48 Visitors accessing Critical Facilities must be - Provide evidence of a policy that state the
escorted at all times. requirement of escorting visitors accessing critical
facilities on the company premise.

TPC-49 Third Party must dedicate an access - Provide evidence of dedicated working area is
restricted working area for personnel with allocated for Saudi Aramco projects and workstations.
access to Saudi Aramco network. - Provide evidence of physical security control
implementation on Aramco working area.
TPC-50 Backup media must be secured to - Provide evidence of backup media physical security
block/inhibit unauthorized physical access. controls implemented.
- Provide evidence of backup media related policy and
configuration.

Page 9 of 17

Saudi Aramco: Company General Use

 Control Control Statement Controls’ Requirements
#
TPC-51 Technology Assets and Systems connected to - Provide evidence of third party asset management
the internet must be licensed and supported inventory, determine system and assets connected to
by the provider. the internet are licensed and supported by the
provider.

TPC-52 Third Party must encrypt data in transit (e.g. - Provide evidence of web security appliance to ensure
SSH, FTPS, HTTPS, IPSEC). that encryption technology is used and enabled when
data is transmitted across publicly-accessible networks.
- Provide evidence of adequate policies are in place
regarding transmission of data, especially the one
transmitted via email.

TPC-53 Third Party must encrypt (e.g. using HTTPS) -Provide evidence of applied configurations from the
sessions where Critical Saudi Aramco available security appliance, showing the use of secure
information or data will be transmitted from transmission protocols.
and to the Public Cloud Computing Services, - Provide evidence of configurations for session
and enforce session authentication, lockout, authentication enforcement, lockout, and timeout.
and timeout.
TPC-54 Third Party must implement encryption - Provide evidence of encryption mechanisms applied
mechanisms, using at least AES encryption on all devices, including disk drives by checking
algorithm, and 256 bit key, on all devices or BitLocker Drive encryption.
storage media hosting sensitive data per the - Provide evidence of a policy ensuring mobile devices
Third Party’s assets classification policy. (e.g., laptops, tablets, and removable media) that are
used to store confidential data are encrypted.

TPC-55 Encryption key management capability, -Provide evidence of encryption key management
including preservation and retrieval, must be procedure and policy.
defined, applied, and periodically reviewed. -Provide evidence of key management configurations
TPC-56 Third Party must implement a device control - Provide evidence of assets used to perform/conduct
mechanism on Assets that are used to Aramco business with removable media restrictions to
receive, store, process or transmit Saudi ensure restrictions are working as expected and
Aramco data such as disabling the use of comply with the organization's policy.
external storage media. - Provide evidence of the removable media policy,
which may include:
- Encryption of removable media
- Restricted access to removable media (e.g., USB
restrictions)

Page 10 of 17

Saudi Aramco: Company General Use

 Control Control Statement Controls’ Requirements
#
TPC-57 Access to the Internet must be restricted by - Provide evidence of the technology used for content
Content-filtering technologies to block: filtering
• Malicious and suspicious websites. - Provide evidence of no related business site like
• Personal and non-company email malicious websites, personal, non-company email
services. Services, non-company approved public cloud services
• Personal and non-company approved being blocked.
public cloud services. - Provide evidence of appropriate configuration for
accessing web-based email, cloud Storage services.
TPC-58 Documents containing Saudi Aramco Critical - Provide evidence of policy where documents must
Data, must be encrypted and stored securely only be shared with limited individuals who are part of
with access limited to authorized personnel. the work specified in the Contract.
- Provide evidence of documents with Passwords to
unlock these documents:
- Must never be stored.
- Must never be shared in the same
communication method (e.g. email) as the
documents.
- Must be communicated to the recipient(s)
over the phone, in person or via SMS text
message.
- Must be in line with the password protection
measures stated in Control Number “TPC-2” in
this Standard in agreement with a Saudi
Aramco eligible recipient of the document.
-Provide evidence for hardcopy documents being
stored securely in dedicated and locked cabinet with
access limited to authorized personnel.
TPC-59 Remote wipe solution must be installed on - Provide evidence of ability to wipe data remotely on
all tablets and mobile phones used to mobile devices when data are missing or stolen is
receive, store and/or produce Critical Data enabled.
for Saudi Aramco. - Provide evidence of policy related to remote access
and remote wipe solution used
TPC-60 Third Party must implement data validation - Provide evidence of Test sample input fields for
on all input fields for applications or Cloud accepting valid data types, syntax and length range
Computing Services used by Saudi Aramco to part of the user accepting testing.
only accept input with valid data type, syntax - Provide evidence of Data Validation policy.
and length range - Provide evidence of applied configuration.
TPC-61 Application error messages must not display - Provide evidence of error messages handling part of
any technical information. the application design document.
- Provide evidence of samples of error messages
generated by the application.
- Provide evidence of the login failure for username
and password. The error messages.
- Provide evidence of Secure Programming Policy.

Page 11 of 17

Saudi Aramco: Company General Use

 Control Control Statement Controls’ Requirements
#
TPC-62 Application or Cloud Computing Services - Provide evidence of application password
must not store, generate, transmit, or use management policy.
plain-text passwords. - Provide evidence of security controls applied on
application passwords including: encryption and the
use of hash function.
- Provide evidence of the configuration file of the
application.
-Provide evidence of LDAP and Active Directory in case
it was use for authentication.
TPC-63 Third Party must create and manage baseline - Provide evidence of the baseline configurations for
configurations to harden information systems (e.g., servers, desktops, routers).
systems. The hardening process must - Provide evidence of samples against the third party's
address configurations such as: baseline configurations to ensure standards are
- Resetting default usernames/passwords followed and enforced, for the following:
- Disabling unneeded software - Resetting default usernames/passwords
- Disabling unneeded services - Disabling unneeded software
- Removing administrative access of users on - Disabling unneeded services
workstations. - Removing administrative access of users on
workstations.
TPC-64 Third Party must establish and follow regular - Provide evidence of third party backup policy, process
procedures for backup of critical systems and and procedures.
Saudi Aramco’s data, software and websites. - Provide evidence of a formal backup is performed
with defined schedule.
- Provide evidence of periodic backup testing is
performed to verify data are accessible and readable.

TPC-65 Backup stored at an off-site location must be - Provide evidence of third party backup policy,
encrypted using at least AES encryption process and procedures.
algorithm, and 256 bit key, except for data - Provide evidence of the backup tapes are encrypted
classified as public. for off-site location.

TPC-66 Third Party must implement a sanitization - Provide evidence of media sanitization (data
process before any Assets are loaned, destruction) policies.
donated, destroyed, transferred, or - Provide evidence of sanitization techniques and
surplused. The process must be aligned to procedures are commensurate with the security
industry best practices such as NIST 800-88. category or classification of the information or asset
and in accordance with organizational standards and
policies.
- Provide proof (e.g., destruction certificates) that
media sanitization is occurring according to policy.

Page 12 of 17

Saudi Aramco: Company General Use

 Control Control Statement Controls’ Requirements
#
TPC-67 Third Party must have a Disaster Recovery - Provide evidence of Disaster Recovery plans
Plan (DR Plan) which is documented, addressing the control requirements.
maintained and communicated to - Provide evidence of samples of communicating DR to
appropriate parties. The DR Plan should responsible parties and stakeholders.
address the recovery of Assets and
communications following a major
disruption to business operations.
TPC-68 Third Party must have a comprehensive - Provide evidence of business continuity plans to
Business Continuity (BC) plan which is determine if the third party has documented how it
documented, maintained and communicated will respond to a cyber-incident.
to appropriate parties. The BC plan should - Provide evidence of the BC plan, which includes all
address the occurrence of the following the related subjects/ topics of the control
scenarios: requirements.
a) Equipment failure.
b) Disruption of power supply or
communication.
c) Application failure or corruption of
database.
d) Human error, sabotage or strike.
e) Malicious Software attack.
f) Hacking or other Internet attacks.
g) Social unrest or terrorist attacks.
h) Environmental disasters.
i) Emergency contact information for
personnel.
TPC-69 Third Party must ensure that owners of the - Provide evidence of the plan to ensure that Business
Business Continuity (BC) plan are identified Continuity (BC) plan owners are identified.
and that the BC plan is reviewed and - Provide evidence of different plans releases to
updated annually. determine how frequently they are updated and
approved.
TPC-70 Third Party must conduct Business - Provide evidence of business continuity tests / drills
Continuity drills at least annually. are performed according to the policy as required by
the control.
TPC-71 Third Party must have formal procedures for - Provide evidence of hiring procedures to determine
on-boarding employees. On-boarding whether background checks/screenings are performed
procedures must include background checks for all employees.
(e.g. Verification of work histories). - Provide HR screening policy.
TPC-72 Third Party must conduct security and source - Provide evidence of different security scans and
code vulnerability scanning on all developed vulnerability reports found on all developed
applications, and close all discovered applications.
vulnerabilities before deployment in - Provide evidence of remediation of all security issues
production. and findings discovered and closed prior the
deployment in production.
- Provide Application Vulnerability scanning policy.

Page 13 of 17

Saudi Aramco: Company General Use

 Control Control Statement Controls’ Requirements
#
TPC-73 All changes to the application must be - Provide evidence of application design packages and
properly authorized and tested in a testing testing reports that show different application testing
environment before moving to production. conducted by the authorized testing team.
- Provide evidence of different testing results
conducted on testing environments including
(production and quality assurance)
- Provide evidence of approved change requests to
applications prior deployment.
TPC-74 Third Party must have a process for secure - Provide evidence of implemented process for secure
system and software development life cycle system and software development life cycle.
in alignment with industry best practice.
TPC-75 Third Party must retain all audit logs from - Provide evidence of audit logs (e.g., security, activity)
information systems and applications are maintained and reviewed in a timely manner.
storing, processing or transmitting Saudi - Provide evidence of Log files are sized such that logs
Aramco data for one (1) year. are not deleted prior to review and/or being backed
up.
- Provide evidence of the third party policy of logs
handling
- Provide evidence of Audit logs and log management
& analysis tools that are protected from unauthorized
access, modification and deletion.
- Provide evidence of Audit records contain
appropriate content (e.g., type of event, when the
event occurred, where the event occurred, source of
the event, and outcome of the event, identity of any
individuals or subjects associated with the event).
TPC-76 Firewalls must be implemented at the - Provide evidence of firewall settings ensure that rules
network perimeter and only required are configured to allow only required services and
services must be allowed. Vulnerable unneeded protocols and vulnerable services are closed
services or insecure protocols should be and blocked.
blocked. - Provide evidence of network diagram for firewalls
placement.
TPC-77 Intrusion Detection Systems (IDS) or - Provide evidence of IPS/IDS configurations and
Intrusion Prevention Systems (IPS) must be enablement.
implemented at the network perimeter.
TPC-78 Signatures of firewalls, IDS and IPS must be - Provide evidence of firewalls, IDS and IPS signature
up-to-date. up-to-date.
TPC-79 If Third Party is hosting an application or a - Provide evidence of implementing Web Application
website for Saudi Aramco or providing cloud- Firewall (WAF).
based web application, Web Application - Provide evidence of the WAF configuration and
Firewall (WAF) must be implemented to activation.
inspect all incoming traffic for potential
threats and malicious activity e.g. SQL
injection and Cross Site Scripting

Page 14 of 17

Saudi Aramco: Company General Use

 Control Control Statement Controls’ Requirements
#
TPC-80 Third Party must monitor Technology Assets, - Provide evidence of policies and procedures regarding
Systems and applications to identify system and network monitoring.
unauthorized access, or unauthorized - Provide evidence of detected events (e.g., alerts from
activity. IDS) and the organization's response to them. Review
the events and responses to ensure thorough analysis
of detected events is performed.
TPC-81 Third Party must periodically aggregate and - Provide evidence of listing of event aggregation and
correlate data from multiple systems and monitoring systems in use at the organization (e.g.,
critical applications such as Firewalls, SIEMs, event log correlation systems).
IDS/IPS, and anti-virus in a central repository - Provide evidence of list of sources that provide data
for event monitoring and analysis purposes. to each event aggregation and monitoring system (e.g.,
firewalls, routers, servers).
TPC-82 Multiple physical security measures must be - Provide evidence that physical access to key assets
implemented to prevent unauthorized (e.g., server rooms, network closets, zones) are
access to facilities. Entrances and exits must physically restricted:
be secured with authentication card key, a. Locked doors
door locks and monitored by video cameras. b. Surveillance
c. Fences or walls
d. Logs
e. Visitor escorts
- Provide evidence of policies and procedures allow
only authorized personnel access to sensitive areas.
- Provide evidence of termination /off-boarding
procedures to ensure physical access is removed once
an employee leaves.
TPC-83 Privileged accounts activity must be logged - Provide evidence of policies highlighting the
and monitored on a regular basis. monitoring of Privileged accounts activity.
- Provide evidence of logged Privileged accounts
activity.
TPC-84 Non-authorized devices (such as personal - Provide evidence of policies of using personal assets.
devices and mobile phones) must not be
used to store, process or access Assets.
TPC-85 Monthly Vulnerability scans must be - Provide evidence of the third party vulnerability
conducted to evaluate configuration, management plan and ensure it includes the following:
Patches and services for known - Frequency of vulnerability scanning
Vulnerabilities. - Method for measuring the impact of vulnerabilities
identified (e.g., Common Vulnerability Scoring System
- Incorporation of vulnerabilities identified in other
security control assessments (e.g., external audits,
penetration tests)
- Procedures for developing remediation of identified
vulnerabilities
- Provide evidence of samples of vulnerability scan
reports.
- Provide Vulnerability scanning policy.

Page 15 of 17

Saudi Aramco: Company General Use

 Control Control Statement Controls’ Requirements
#
TPC-86 Physical access to the facility where - Provide evidence of an inventory of critical facilities
information systems reside must be (e.g., data centers, network closets, operations centers,
restricted to authorized personnel and critical control centers).
reviewed on a regular basis. - Provide evidence of physical security monitoring
controls are implemented and appropriate to detect
potential cybersecurity events (e.g., sign in/out logs,
motion detectors, security cameras, security lighting,
security guards, door/window locks, automatic system
lock when idle, restricted physical access to servers,
workstations, network devices, network ports).

TPC-87 Information systems and applications must - Provide a list of the monitoring controls implemented
log auditable events as stated in Appendix C. by the third party at the application/user account level
(e.g., account management, user access roles, and user
activity monitoring, file and database access).
- Provide evidence of monitoring reports includes
detection and alerting of cybersecurity events (e.g.,
unauthorized account access, unauthorized file/system
access, access out of hours, access to sensitive data,
unusual access, unauthorized physical access, privilege
escalation attacks).
- Consider Appendix C on Third Party Standard.

TPC-88 Incident management policy and plan must - Provide evidence of incident management policy and
be documented, maintained and procedures to determine if reporting structure and
communicated to management and communication channels are clearly defined.
appropriate team members. - Provide evidence that employees are trained to
report suspected security incidents.
- Provide copies of reports from recent incidents to
validate reporting is consistent and follows the plan.

TPC-89 Third Party must have an Incident Response - Provide evidence of the incident response plan to
capability that includes preparation, determine if appropriate steps are taken consider the
detection and analysis, containment, following:
eradication, recovery, documentation and 1. Obtain evidence of event notifications (e.g.,
preservation of evidence, communication detection alerts, reports) from different
protocols and lessons learned. systems.
2. Determine who receives alerts or reports
from detection systems and what actions are
taken once reports are received.
3. Review the incident response plan to
determine if actions taken follow the plan.

Page 16 of 17

Saudi Aramco: Company General Use

 Control Control Statement Controls’ Requirements
#
4. Steps to contain and control the incident to
prevent further harm
5. Procedures to notify potentially impacted
third parties
6. Strategies to control different types of
incidents
(e.g., distributed denial-of-service [DDoS],
malware, etc.)
7. Steps to mitigate the incident to prevent
further harm
8. Review any documented incidents to
determine whether mitigation efforts were
implemented and effective
9. Review the organization's incident handling
reports and incident testing documentation for
action items and lessons learned.
TPC-90 Third Party must track, classify and - Provide evidence of the incident response plan to
document all Cybersecurity Incidents. determine if there is a process to formally analyze and
classify incidents based on their potential impact.
- Provide incident response plan to determine if it is
designed to prioritize incidents, enabling a rapid
response for significant incidents or vulnerabilities.
TPC-91 Third Party must resolve or mitigate the - Provide evidence of the organization's schedule for
identified security Vulnerabilities on a performing internal and external vulnerability scans
system, computer, network, or other and the results of the most recent internal and external
computer equipment within the following vulnerability scans.
timeframes: - Review the schedule and results for the following:
- Critical Risk: immediate correction up to - Frequency
fourteen (14) calendar days of critical vendor - Successful completion
patch release, notification from Saudi - Documented resolution or mitigation of
Aramco, or discovered security breach identified vulnerabilities
whichever is earlier. - Scope of testing includes all critical systems
- High Risk: within one (1) month of vendor - Provide evidence of vulnerability scan results were
patch release, or discovered security breach reported to individuals or teams with appropriate
whichever is earlier. authority to ensure resolution.
- Medium and Low Risk: within three (3) - Provide Vulnerability scanning policy.
months of discovery.
TPC-92 f Third Party is hosting a website for Saudi - Provide evidence that the third party is deploying
Aramco or providing a Cloud Computing Distributed Denial of Service (DDOS) protection
Service, the website / Cloud Computing appliance that sit in front of network firewalls.
Service must be secured by a Distributed - Provide evidence that the third party is deploying web
Denial of Service (DDOS) protection. application firewalls, and use load balancers.

Page 17 of 17

Saudi Aramco: Company General Use