SAMA CSF Compliance Checklist for Cloud-Native Data Teams

The Saudi Arabian Monetary Authority Cybersecurity Framework (SAMA CSF) is the mandatory cybersecurity standard for every bank, insurer, and financial institution operating in Saudi Arabia. For data teams running cloud-native infrastructure, SAMA CSF compliance is not a one-time audit — it is an ongoing architectural requirement that shapes how you design, deploy, and recover your data systems.

This checklist maps the key SAMA CSF domains to the practical decisions cloud-native data teams face every day.

1. Cybersecurity Leadership and Governance

SAMA CSF requires a formal cybersecurity governance structure with board-level accountability. For data teams, this means:

• Assign a data protection officer with explicit responsibility for data infrastructure security, separate from general IT security.

• Document data classification policies that define which datasets are Tier 0 (core banking), Tier 1 (critical applications), and Tier 2 (internal reporting). This classification directly drives your DR architecture decisions.

• Establish a data security committee that reviews access controls, encryption policies, and disaster recovery test results quarterly.

• Maintain a data asset inventory — every database, warehouse, pipeline, and dashboard cataloged with its owner, classification, and recovery priority.

2. Cybersecurity Risk Management

Risk management under SAMA CSF demands continuous identification and mitigation of threats to data assets:

• Conduct annual threat modeling that includes both cyber threats (ransomware, DDoS, insider threats) and kinetic threats (physical infrastructure strikes, subsea cable disruption, power grid failures). After March 2026, kinetic threats are no longer theoretical in the GCC.

• Define RTO and RPO for every data tier. Tier 0 core banking systems should target sub-minute RTO and zero RPO. Tier 1 applications can tolerate 15-minute RPO and 4-hour RTO.

• Map third-party dependencies — cloud providers, DNS services, identity providers, monitoring tools. If your primary cloud provider suffers a regional outage, which of your dependencies fail with it?

• Quantify financial impact of data downtime. The average cost of downtime for financial services is $5,600 per minute (Ponemon Institute). Use this to justify DR investment to leadership.

3. Cybersecurity Operations and Technology

This is where architecture decisions meet compliance requirements:

• Encrypt data at rest and in transit across all environments. Use AES-256 for storage and TLS 1.3 for all inter-service communication.

• Implement network segmentation between production, DR, and backup environments. Your immutable backup infrastructure must be air-gapped from your primary network.

• Deploy multi-region architecture with geographic dispersion that exceeds the blast radius of a single regional disruption. For Saudi-based institutions, this typically means a primary in Riyadh or Jeddah with DR in a remote GCC region or Europe.

• Use synchronous replication for Tier 0 data. Core banking databases, payment gateways, and trading platforms cannot tolerate data loss during failover.

• Automate failover orchestration. Manual runbooks introduce human error and delay. Your failover sequence should execute automatically with human approval gates only at critical decision points.

4. Third-Party Cybersecurity

SAMA CSF holds you accountable for your vendors' security posture:

• Audit cloud provider DR capabilities annually. Verify that your provider's multi-AZ and multi-region failover actually works under load.

• Require contractual SLAs for recovery. Your cloud provider contract should include specific RTO/RPO commitments with financial penalties.

• Validate data residency compliance. Saudi financial data may need to remain within Saudi borders, with pre-negotiated exception frameworks for emergency cross-border failover.

• Assess vendor concentration risk. If your production, DR, DNS, identity provider, and monitoring all run on the same cloud provider, you have a single point of failure.

5. Business Continuity and Disaster Recovery

This is the domain where data teams have the most direct responsibility:

• Maintain immutable backups using the 3-2-1-1 rule: 3 copies of data, on 2 different media types, with 1 offsite copy and 1 immutable (WORM) copy.

• Test failover quarterly with increasing severity. Start with component failover, progress to partial region, then full region. The gold standard is a Level 4 "Chaos + Conflict" simulation.

• Validate data integrity after every failover test. Run automated data quality checks against pre-failover baselines within minutes of failover completing.

• Document and rehearse crisis communication. Who notifies SAMA? Who communicates to customers? These must be rehearsed, not just documented.

• Generate compliance evidence packs automatically. SAMA auditors will ask for proof that DR tests were conducted, that data integrity was validated, and that recovery met stated RTO/RPO targets.

6. Incident and Threat Management

• Implement real-time anomaly detection on all data pipelines. Schema drift, volume spikes, and reconciliation failures should trigger alerts within minutes.

• Maintain a data incident response playbook covering data corruption, unauthorized access, pipeline failure, and cross-region failover scenarios.

• Log all data access and transformations with column-level lineage. When SAMA asks "who accessed this data and what happened to it," you need a definitive answer.

• Report material incidents to SAMA within the required timeframe. Have pre-drafted notification templates ready.

How Dataring Helps

Dataring's product suite is purpose-built for SAMA CSF compliance in cloud-native data environments:

• DataBridge provides the failover-aware query layer that enables multi-region architecture without application-level changes.

• DataQualityHQ delivers continuous data validation, lineage tracking, and automated PII classification. After failover, it validates data integrity and generates audit-ready evidence packs.

• DataFlow orchestrates the failover sequence, replacing manual runbooks with automated, auditable workflows.

Our BCDR consulting practice for financial services delivers end-to-end SAMA CSF alignment, from gap assessment through architecture design, implementation, and Level 4 testing.

Book a complimentary BCDR assessment to evaluate your current SAMA CSF readiness.