S: SAAD: In this part I'm interested in how to design the security policy that is distributed for all hospitals in the department or users, specifically the clinic. My question; how do security policy design in the hospital? Is it from scratch? Are you using any template, are you adopting any ISO or standards?

R: RAMI: As a department, yes, we are ISO certified. ISO 27001, which is the ISO [UNCLEAR] security management. For data centre [UNCLEAR]. 
We have developed some security policies and procedures already in place; our own department, again.

S: SAAD: From scratch, or- how did you design?

R: RAMI: Design is based on the standards of frameworks. ISO has some policies and procedures already in place. I base on their framework and stuff.
So we took it from there and reviewed policy and procedures in a way that fit our organisation; our department in particular.

S: SAAD: So you take it as a reference, ISO?

R: RAMI:  Actually, it is
our standards.

S: SAAD: So you take ISO, you see
what's there and try to design your own, implement it as your version of ISO?

R: RAMI: Yes.

So you adopted it in some way or another from ISO. Are there any regulations that you have to comply with here in Saudi Arabia?

R: RAMI: As information security again, I've been [UNCLEAR].
Recently now, as you know, there's NCA, National Security Authority has been established by the government, and they're supposed to regulate all these things. There are some from the Ministry of IT/Communication, and even from some other entities in the country. [UNCLEAR] some policies, some regulations we have to comply; We're organised, I would say.

But it's not mandated for you to- like HIPAA in the US, for example.

R: RAMI: We have to here in the hospital. They have HIPAA standard, and we
[UNCLEAR]. But they look after more medical connections. ISO, one of the certificates you have is the information security. So really they come under your audit. Regulators in the Saudi [UNCLEAR] 'Sabahi/SBAHCP'; since last year, they come and they ask so many questions. Some of the areas are specifically information security. They ask about regulations, the policy, the procedures, the incident reports as you mentioned before.  [ARABIC] 

S: SAAD: Healthcare.

R: RAMI:  [ARABIC] they ask everything

S: SAAD: It's an annual thing here, happening?

R: RAMI: They started every two years.

So we can say you are obligated  [ARABIC] 

R: RAMI: [UNCLEAR] [ARABIC] you need to look at [UNCLEAR]

Are there any other internal/ external factors that dictate how you design your security policy?

R: RAMI: By the organisational structure, we have an entity called Internal Audit. By design
they look after every incident in the organisation. As you know information security is something very hot; people who not any [UNCLEAR] to understand the importance of security. So I would say at this moment, if an internal audit; they are not looking or asking all incidents from [UNCLEAR] ‘ITT’ There is nothing clearly in between us and them with regards to information security incidents and regulations as well. But by the organisation structure, if there is anything going wrong it should be reported to the-

S: SAAD: Technical or non-technical, it’s supposed to go through the internal audit?

R: RAMI: Whenever something's [UNCLEAR]

S: SAAD: If some hacking happened, do they involve- ?

R: RAMI: I [UNCLEAR] experience, but if there is I’m sure by 
organisational structure they have to be notified. So I don’t know- If we need to go to some external entities now for exam; because in Saudi we have an entity called National Cyber Security Centre where they offer this service, and we have CERT, from the Ministry of Communication. They have a department called CERT - Computer Emergency Response, something like that, that's shortened to CERT. 

So how the internal audit impacts the policy design?

R: RAMI: [UNCLEAR] the policy design, they call it APP.


R: RAMI: Among all of the hospital. APP something is only organisational. I think APP should be a [UNCLEAR].
They are like the point of contact for all APPs. It has to go from their executive director, then it has to go to the [CTO].

they have a kind of contribution; even though, for example-


S: SAAD: If you create a policy;
if you create a draft for a password policy, and then you escalate it to- so once you finish it as a department, you want this policy as a security department to be distributed to all the clinical/non-clinical staff. So you've sent it to the internal audit, and then the internal audit can edit this policy and modify it in their way. Or you have to comply with the specific template that they have. So how [do] you manage the situation?

R: RAMI: [UNCLEAR] about all policy and procedures.
 Because for example, the password is something technical and you call it DBB; Department of [UNCLEAR]. We apply the technology and users comply with it. And we have to, by the way. Every six months users should reset their password.

S: SAAD: So you
create one? For example, you wanted to update the existing password policy. And then you, for example, change it from eight to ten, let's say that. It will not apply this policy only in department; you want this policy to be distributed to all the hospital. What is the procedure that you do?

R: RAMI: That's my point; some policies are departmental, like the password.
We manage it and we roll it out to all users, because it's a system active directory. If we want to go for an internal audit for each policy and procedure, we will end having hundreds of [UNCLEAR]. They will say as IT, for example, you should have [UNCLEAR] policy and procedures. Internally you can do whatever you have. Let's take an example and say controls [UNCLEAR]

S: SAAD: Then you do it yourself and send it to all employees here in hospital.

R: RAMI: Yeah, it depends on the system; for example, password. You will see it in your screen. Your
password should be eight characters - include letters, [UNCLEAR] numbers, blah blah blah - you have to comply. If you want a password, you have to comply. You'll have 'wrong password' until you correct it.

Another way; so the template that's used in departmental, is it the same one that's used for [APP]?

R: RAMI: No.


R: RAMI: As of today, it's not.

S: SAAD: So it's not matching?

if you want the same as a template? This is our department, this is internal department.

S: SAAD: And you
create, for example, the policy itself from scratch as your own and then based-

R: RAMI: The [

S: SAAD: Based on ISO or-

R: RAMI: Exactly.

S: SAAD: And if
someone wanted to access this policy - for example, the password policy - so you need to apply once you update it. So you sent an email for everyone, "this is a new policy update" Go and look...

Again, departmental, no. This would be within the department/IT team only. Because [UNCLEAR] as I said.

S: SAAD: But it will affect all the clinical, so how you manage that?

We usually don't do measure changes, because as you said, these are like- once you have it in place from the beginning, changes won't be much. And if there is then I don't even recall we had to change something major in these DBBs. Even the password that's this year, is the same 10-character and even in other stuff.

The end of a session is marked by the “END OF TRANSCRIPT” sign at the bottom of every page.