🛡️ NCA Cybersecurity Controls

BayanCore aligns with the National Cybersecurity Authority (NCA) Essential Cybersecurity Controls (ECC-1:2018). This framework provides a baseline for protecting the information assets and operations of Saudi organizations.

1. Access Control & Identity Security (NCA-2-3)

Multi-Factor Authentication (MFA): Clerk enforces mandatory SMS or TOTP multi-factor authentication for all administrative accounts, engineering interfaces, and manager-level approval roles.
Segregation of Duties (Least Privilege): Administrative access is segregated. Developers do not possess access to production databases. System actions run under restricted service account roles (e.g. the backup engine cannot drop database tables).
Inactivity Session Termination: Web interfaces automatically terminate user sessions and require re-authentication after 15 minutes of inactivity, complying with standard NCA session controls.

2. Information and Assets Protection (NCA-2-2)

Encryption Policies

Data in Transit: All network communication (client-to-server, API gateway-to-microservice, server-to-database) is encrypted using TLS 1.3 with secure cipher suites.
Data at Rest: OCI block volumes, relational databases, backups, and vector databases are encrypted using AES-256 with key management handled securely by OCI Vault.

Network Micro-segmentation

Private Subnets: All core databases, worker processes, and AI nodes run in isolated private subnets within the Virtual Cloud Network (VCN).
Network Security Groups (NSGs): Traffic is restricted using stateful security rules. Relational database nodes accept connections exclusively from active execution layer containers on designated ports.

3. Vulnerability & Patch Management (NCA-2-8)

Dependency Scanning: All code repositories run automated dependency scanning (SAST) on Pull Request triggers to flag package vulnerabilities.
Container Security: Production Docker images are built on minimal, hardened base structures (such as Alpine or distroless images) and scanned for vulnerabilities before deployment to the registry.
Patch Rotations: Security updates and kernel patches are automatically applied to Kubernetes worker nodes during scheduled maintenance windows, leveraging rolling node updates to avoid downtime.

4. Disaster Recovery & Backup Integrity (NCA-2-12)

Backup Encryption: Databases and Object Storage are backed up daily. Backups are encrypted at rest using AES-256 and stored as write-once, read-many (WORM) objects in OCI Object Storage.
Resiliency Replication: Relational databases execute asynchronous replication to the secondary OCI Jeddah region, guaranteeing an RPO (Recovery Point Objective) of <1 hour and an RTO (Recovery Time Objective) of <4 hours.
Drill Testing: Disaster recovery failover tests are executed bi-annually, validating backup recovery pipelines and verifying data integrity.

1. Access Control & Identity Security (NCA-2-3)​

2. Information and Assets Protection (NCA-2-2)​

Encryption Policies​

Network Micro-segmentation​

3. Vulnerability & Patch Management (NCA-2-8)​

4. Disaster Recovery & Backup Integrity (NCA-2-12)​