Control # Control Statement

Third Party must establish, maintain and

communicate a Cybersecurity Acceptable Use
Policy (AUP) governing the use of Third Party
Technology Assets.
TPC-1

Password protection measures must be enforced

by the Third Party. The following are
recommended measures:
- Minimum length: 8 alphanumeric characters and
special characters.
- History: last 12 passwords
- Maximum age: 90 days for login authentication
TPC-2 - Account lockout threshold: 10 invalid login
attempts.
- Screen saver settings: automatically locked
within 15 minutes of inactivity.

Third party must not write down, electronically

store in clear text, or disclose any password
or authentication code that is used to access
TPC-3 Assets or Critical Facilities. This should be part
of Third Party cybersecurity polices.

Multi-factor authentication must be enforced on

all remote access, including access from the
Internet, to Third Party Company computing
resources.
TPC-4
 Multi-factor authentication must be enforced on
all access to Cloud services utilized by the
Third Party, including access to cloud-based email.

TPC-5

Third Party must inform Saudi Aramco when

employees provided with Saudi Aramco user
credentials no longer need their access, or are
transferred, re-assigned, retired, resigned or no
longer associated with the Third Party.
TPC-6

Third Party must require all information systems

users to take a yearly mandatory Cybersecurity
training that addresses acceptable use and good
computing practices. Training must address the
following topics:
1. Internet and social media security
2. Cybersecurity Acceptable Use
TPC-7 3. Social Engineering and phishing emails
4. Sharing credentials (i.e. username and
password)
5. Data Security

Third Party must inform personnel, in keeping with

Third Party Company Policy, that using personal
email to share and transmit Saudi Aramco data is
strictly prohibited.

TPC-8
 Third Party must inform personnel, in keeping with
Third Party Company Policy, that disclosing Saudi
Aramco policies, procedures and standards or any
type of data with unauthorized entities or on the
Internet is strictly prohibited.

TPC-9

All Third Party Technology Assets and Systems

must be password protected.
TPC-10

Third Party Technology Assets and Systems must

be regularly updated with operating system (OS),
software and applets patches (i.e. Adobe, Flash,
Java etc.)
TPC-11

Third Party Technology Assets must be protected

with anti-virus (AV) software. Updates
must be applied daily, and full system scans must
be performed every two weeks.
TPC-12

Third party must implement Sender Policy

TPC-13 Framework (SPF) technology on the mail server.
Third party must enforce Sender Policy Framework
TPC-14 (SPF) feature on Saudi Aramco email domains:
Aramco.com and Aramco.com.sa.
Third Party must publish SPF record in DNS server.
TPC-15
Third Party must inspect all incoming emails
TPC-16 originating from the Internet using antispam
protection.
Third Party must use a private email domain.
Generic domains, such as Gmail and Hotmail, must
TPC-17 not be used.
 Third Party must have formal procedures for off-
boarding employees. Off-boarding
procedures must include the return of assets, and
removal of all associated access.
TPC-18

Assets used to process or store Saudi Aramco data

and information must be sanitized by the end of
the Data Life Cycle, or by the end of the retention
period as stated in the Contract, if defined. This
includes all data copies such as backup copies
created at any Third Party site(s).Third party shall
certify in writing to Saudi Aramco that the data
TPC-19 sanitization has been completed.

Third Party must obtain a Cybersecurity

Compliance Certificate (CCC) from Saudi Aramco
authorized audit firms in accordance to the third-
party classification requirements set forth in this
Standard (Section II). Third Parties must submit
TPC-20 the CCC to Saudi Aramco through the Saudi
Aramco eMarketplace system.

Third Party must renew the CCC every two (2)

years.

TPC-21

Firewalls must be configured and enabled on

endpoint devices.

TPC-22

If Third Party discovers a Cybersecurity Incident,

Third Party must (besides its continuous efforts to
resolve and mitigate the Incident): - Notify SAUDI
ARAMCO within two (24) hours of discovering the
TPC-23 Incident - Follow the Cybersecurity Incident
Response Instructions set forth in Appendix A.
Controls’ Requirements Comments
- Provide a copy of approved (AUP).

- Provide sample of communication regarding

sharing (AUP) to employees.

- Provide different versions of approved and

communicated AUP, that shows different releases
and update.

- Provide technical check evidence to confirm the

compliance of the control requirements.

- Provide evidence of the password configuration on

Active directory to ensure that default settings are
not used. If active directory does not exist, provide
evidences from the local password policy on sample
systems.

- Provide a copy of password policy that should

comply with the control requirements and technical
check findings.

- Provide a copy of password disclosure policy

- Provide a copy of actions taken in case password

disclosure happened part of the consequence
management.

- Provide technical check evidence to confirm that

strong authentication is in place on remote users’
access (e.g., multifactor) a clear evidence of the
Authentication page must be provided.

- Provide policies and procedures related to remote

users' access policy part of the third party access
control policy
- Provide technical check evidence to confirm that
strong authentication is in place on cloud access
(e.g., multifactor) a clear evidence of the
Authentication page must be provided.

- Provide policies and procedures related to cloud

security policy part of the third party access control
policy.

- Provide the third party policy/contract in term of

dealing with Saudi Aramco credentials.

- Provide a sample of communication (Email) to

Saudi Aramco to revoke invalid accounts.

- Provide evidence for revoked accounts that are

invalid accounts for people who are retired, resigned
or no longer associated with the Third Party.

- Provide acceptable use policy and/or training

materials to ensure content is adequate.

- Provide user training reports and/or

documentation to ensure users are trained in
accordance with applicable policy, guidance, and/or
requirement (e.g., annual cybersecurity training of
all employees).

- Provide evidences of updating the training

materials based on changes in cyber threat
environment.

- Provide Third Party Company Policy and contract of

using personal email.

- Provide the Third Party policy / contract ensure

third parties are complying with cybersecurity
responsibilities defined in contracts and
agreements.

- Provide related emails communicated to third

party’s employees to ensure the compliance of this
control.

- Provide relevant counter measure that third party

has taken to comply with the control requirements.
- Provide Third Party policy including contracts and
agreements that highlight the prohibited disclosure
of Aramco related data.

- Provide related emails communicated to third

party’s employees to ensure the compliance of this
control

- Provide relevant counter measure that third party

has taken in case of disclosing Saudi Aramco Data

- Provide evidence of related assets management

policy that define Technology assets’ protection.

- Provide evidence of related policy for all third party

systems to be password protected.

- Provide evidence of patch management policy and

procedures.

- Provide evidence of on sample of workstations to

ensure that OS and software are up-to-date.

- Provide evidence of scheduling and technology

used for patch and updates deployment.

- Provide evidence of the anti-virus installed on

endpoint devices.

- Provide evidence of configuration console of the

installed anti-virus software to determine the last
updates and full system scan that were performed.

- Provide evidence of the history of updates.

- Provide evidence of SPF implementation on the

third party mail server.
- Provide evidence of SPF enforcement on Saudi
Aramco email domains: Aramco.com and
Aramco.com.sa.
- Provide evidence of SPF record on the third party
DNS server.
- Provide evidence of using an anti-spam protection
for all incoming emails on the email security
appliance.
- Provide evidence of the third party acceptable use
policy (AUP) that highlights the use of the third party
private email domain only and prohibit the use of
generic domains.
- Provide evidence of the third party termination
procedures to determine whether accounts/access
are disabled in a timely manner.

- Provide samples of the removal of all access to

Assets part of the third party Off-boarding
procedures.

- Provide evidence of the third party sanitization

(data destruction) policies.

- Provide evidence of sanitization techniques and

procedures are commensurate with the security
category or classification of the information or asset
and in accordance with organizational standards and
policies.

- Provide proof (e.g., destruction certificates) that

media sanitization is occurring according to policy.

- Saudi Aramco third parties must obtain a If this is the first CCC to obtain, will be justified
Cybersecurity Compliance Certificate (CCC) from by the audit firm.
Saudi Aramco authorized audit firms, which provides
the adherence to this standard.

- In case CCC has been previously obtained, an

evidence of certificate submission should be
provided.

- Saudi Aramco third parties must renew the CCC If this is the first CCC to obtain, will be justified
every two (2) years as per the standard by the audit firm.
requirements.

-A copy of latest CCC obtained needs to be provided.

- Provide evidence of the firewall setting for all third

party endpoint devices including related policies for
enabling firewalls.

- Provide evidence of the firewall being enabled on

domain, public and private firewall settings on
sample of third party endpoint devices.

- Provide evidence of the third party cybersecurity

Incident management policies and procedures that
conform with the requirements of this control.