| AUDIT_FIRM | web page | |
| Cipher Company for cybersecurity | securitypass@cipher.com.sa | www.cipher.com.sa |
| Deloitte | dmeradtas@deloitte.com | www.deloitte.com |
| KPMG | sa-fmthird-partyrisk@kpmg.com | www.kpmg.com |
| pwc | muhammad.umair.khan@pwc.com | www.pwc.com |
| Sirar | securitypass@sirar.com.sa | www.sirar.com.sa |
Security pass | partnership secured
our success partners in cyber security keeps our business workflow and success secured
security pass program
The objective of Security Pass Program is to ensure stc partners adherence to the cybersecurity requirements mandated in stc Suppliers Security Standard, by obtaining a compliance certificate from an authorized audit firm. This page will provide stc partners with the required guidance to obtain the Security Pass Certificate. The Security Pass Program scope will encompass the existing stc partners as well as potential partners that are aiming to conduct business with stc
What are the Certification Requirements?
To obtain the Security Pass Certificate, the partner must ensure below requirements are followed:
- Determine partner tiering
- Implement “applicable Security Pass Certification requirements”
- Complete “partner Compliance Cybersecurity Certificate report”
- Select Authorized audit firm
Determine partner tiering:
stc Security Pass Program includes specific cybersecurity requirements that are defined in stc Suppliers Security Standard, applicable based on the partner tiering determined by the activity of work.
Implement “applicable Security Pass Certification requirements”
- The partner should refer to stc Suppliers Security Standard to identify the applicable cybersecurity requirements.
- The applicable registered partners that are aiming to conduct business with stc must implement all cybersecurity controls in stc Suppliers Security Standard before project execution. Moreover, contract awarded partners to conduct business with stc must implement all cybersecurity controls in stc Suppliers Security Standard, which are applicable based on the Partner tiering.
- The partner should refer to the Partner Cybersecurity Control Requirements Guideline to understand the control implementation requirements.
- The partner must obtain the certificate within 90 days after receiving notification by stc.
Complete “partner Compliance Cybersecurity Certificate report”
The partner responsibilities:
- Fill all the fields in the Partner Cybersecurity Certificate Report.
- Ensure the answers are comprehensive, clearly described, and attach supporting documents.
- Ensure evidence are clear, readable, and time stamped.
- Ensure evidence show a proof of its relation to stc.
- Ensure a clear point out/highlight of the evidence in the screenshots.
- Provide valid justification for “not applicable controls” and this justification must be added to the Security Pass Certificate Inapplicable Controls Report and signed by the partner.
- Implement all applicable cybersecurity controls specified in the stc Suppliers Security Standard on:
- All partner information systems and/or Assets used to connect to stc’s network.
- All partners Assets hosting, receiving, storing, processing, or transmitting stc data.
- All partner assets must be secured, stored in keeping and must be made available to authorized users on a need-to-know basis.
How to Get Certified?
Remote Assessment Process
- The partner should:
- Conduct compliance assessment based on the partner tiering that defines the assessment scope and the required cybersecurity controls as detailed in the stc Suppliers Security Standard.
- Follow the guidelines section in the Partner Cybersecurity Certificate Report to fill the report.
- Refer to the Partner Cybersecurity Control Requirements Guideline to understand the control implementation requirements.
- Select one of the Authorized audit firms from the Security Pass Authorized Audit Firms List in stc Partner Hub.
- Establish a contract with the audit firm in prior to conduct the assessment validation.
- Submit the Security Pass Program Report to the audit firm in prior to conduct the assessment validation.
- The audit firm shall verify the submitted documents and generate the Security Pass Program Certificate Report.
- The partner should obtain 100% compliance against all applicable stc Suppliers Security Standard requirements to attain the Security Pass Certificate from the audit firm.
- In case the partner did not obtain 100% compliance, the audit firm will share with the Non-Compliance Controls that the partner needs to implement to obtain 100% compliance assessment result.
- The partner should implement the findings and submit the updated Security Pass Certificate to the audit firm to re-validate the assessment.
- The partner should submit the Security Pass Certificate and the Security Pass Certificate Report to stc through the stc Partner Hub within 90 days for contract awarded partners.
Certificate Validity
The certificate will be valid for 2 years from the issue date.
Authorized Assessment Firms
- The certificate assessment and issuance will be conducted by an independent audit firm authorized by stc.
- The audit firm will be responsible to verify partners compliance against stc Suppliers Security Standard requirements and issue the Security Pass Program Certificate.
- stc shall only accept Security Pass Program Certificate issued by the authorized audit firms.
- The Security Pass Program Authorized Audit Firms List and contact information can be found in stc partner hub which will be updated regularly.
- The partner should refer to the updated Security Pass Program Authorized Audit Firms List in stc partner hub to select an audit firm and establish a contract.
- The Audit Firm is responsible to validate the partner cybersecurity compliance against stc Suppliers Security Standard applicable requirements and issue Cybersecurity Certifications only.
- The audit firm will share monthly update on the security pass certification progress to stc Cybersecurity GRC department.
Downloads
