Understanding Saudi Arabia's NDMO Standards

As governments continue to find themselves switching fully to digital records, it's important to ensure there are safeguards in place to secure that data. In the Middle East, the Kingdom of Saudi Arabia’s (KSA’s) National Data Management and Personal Data Protection Standards are designed to do just that, implementing cybersecurity practices that will safeguard public and government-owned data as part of Vision 2030, a government program first outlined by the KSA in 2016.

These standards were created and are implemented by the National Data Management Office (NDMO), the Kingdom’s national regulator, and will be referred to as the NDMO Standards, or simply the Standards in the course of this blog.

Who do the NDMO Standards Apply to?

The NDMO Standards apply to all KSA Public Entities and business partners handling government data. Per the official documentation, those parties are responsible for protecting both personal and government data, defined as:

• Personal Data
  • Any element of data, alone or in connection with other available data, that would enable the identification of a Saudi citizen.
• Government Data
  • Raw data or processed data that is received, produced or held by public entities, regardless of the source, form or nature.

The rules apply to government data in “any form of recorded data,” including paper records, handwritten documents, emails, maps, and more.

What Are the 15 NDMO Domains?

The Standards look at requirements across 15 specific domains, including:

1. Data Governance
2. Data Catalog and Metadata
3. Data Quality
4. Data Operations
5. Document and Content Management
6. Data Architecture and Modelling
7. Reference and Master Data Management
8. Business Intelligence and Analytics
9. Data Sharing and Interoperability
10. Data Value Realization
11. Open Data
12. Freedom of Information
13. Data Classification
14. Personal Data Protection
15. Data Security and Protection

What Role Does Data Classification Play?

Data Classification, in addition to being domain #13, is also a key pillar of the data lifecycle, which the NDMO Standards are designed to protect. Those pillars of the data lifecycle are illustrated in the image below:

Image

Credit: NDMO Data Management and Personal Data Protection Standards document.

They are:

1. Data Governance: The overarching rules that will dictate subsequent data management processes, policies, and procedures.
2. Data Assetization: The process of assigning value to data based on characteristics like function and quality.
3. Data Usage: How data is being utilized within the organization; in this case, the government.
4. Data Classification and Availability: Making data available to Saudi citizenry and sorting it based on how crucial its safety is to Saudi national security, government stability, and other factors.
5. Data Protection: The obligation to protect Saudi personal and government information, and the means by which to do so.

The Requirement to Classify Data

The Standards state, “Data Classification involves the categorization of data so that it may be used and protected efficiently. Data Classification levels are assigned following an impact assessment determining the potential damages caused by the mishandling of data or unauthorized access to data.”

In other words, classifying data correctly is integral to properly securing it. One classifies data based on the negative impact it would have on the organization if that data were to be breached – then you divvy out the appropriate level of controls from there.

The NDMO Standards require that a register be made of all identified assets in the course of Data Classification. Mandated in the register are:

• A list of identified assets.
• Classification levels assigned to each asset.
• The dates those classification levels were assigned.
• The amount of time those classifications stand.
• Classification levels approved during review.
• The dates of the classification levels’ review.

Data Classification Process

To accomplish the above Data Classification designs, a structured Data Classification process needs to be in place.

Practitioners must:

1. Identify all the entities’ data.

2. Assign the parties responsible for performing Data Classification.

3. Conduct the impact assessment process.

     a. Identify the category impacted (national interest, organizations, individuals, environment, etc.)

     b. Determine the level of impact (high, medium, low, or none).

4. Consider compliance with existing regulations (only if the impact is “low”).

5. Assess the benefits of disclosure against the potential negative impacts (only if there are not compliance consequences for disclosing the data).

6. Review the classification level once last time for completeness and accuracy.

7. Apply the relevant controls.

This process is important because security needs to be balanced with resources and a user-friendly environment. Establishing which pieces of data need the most stringent (and often resource-heavy, time-consuming) controls both lets you put the maximum amount of security fire power in those places and spare other forms of data from having unnecessarily weighty policies.

Fortra Data Classification

Fortra’s Digital Guardian helps teams in both public and private sectors accomplish their Data Classification goals.

With a range of methods – from fully automated to manual user classification – Digital Guardian provides context-based classification that can identify and tag sensitive data automatically.

Key benefits include:

• Proactive assignment of security resources to the most valuable data.
• Automated classification drives repeatability and predictability
• Getting your team on the same page about which assets are most vital to secure and control.

Plus, it factors in data sensitivity levels into alert prioritization so you can protect what matters the most, when it matters the most.

Looking to go beyond Digital Guardian's data classification capabilities? Fortra's Data Classification Suite (DCS) takes it further. Fortra's DCS allows organizations a permanent metadata tagging solution that stays with each file. When both visual marking and metadata labels are combined, organizations can get more control over how data is handled. Organizations can leverage this rich and persistent metadata to drive complex policies, achieve compliance - like the KSA's NDMO Standards - and further build an effective data protection strategy, too.

Data Classification is just one of the many ways in which the Saudi NDMO National Data Management and Personal Data Protection Standards ensures public data is properly protected for tomorrow. It can be argued it's one of the most crucial requirements given its vital role within the broader data protection context, as well.