NESA UAE Information Assurance Standards _ Dionach

11/07/2017

NESA UAE Information Assurance Standards | Dionach

  Oxford: +44 (0)1865 877830

  Manchester: +44 (0)161 713 0176

  New York: +1 646-781-7580

  Dubai: +971 (0)4 427 0429

  London: +44 (0)203 5983740

   

NESA UAE INFORMATION ASSURANCE STANDARDS Home (/) » NESA UAE I…

18

NESA UAE INFORMATION ASSURANCE STANDARDS (/BLOG/NESA-UAE(/BLOG/NESA-UAEINFORMATION-ASSURANCE-STANDARDS)

OCT

 18 Oct 15   18

 Bil   Bi

Blog (/bl (/blog og-c -cat ateg egor orie ies/ s/b blog log)  Blo

  0 Comments

The UAE’s National Electronic Security Authority (NESA) is tasked with developing and monitoring the UAE Information Assurance Standards (IAS). The IAS come under the National Information Assurance Framework (NIAF), which itself is part of the Critical Information Infrastructure Protection (CIIP) Policy. The IAS are primarily based on ISO 27001:2005, with some additional controls. Some of these additional controls are taken from ISO 2700:2013 and some taken from NIST, whereas others are new, such as cloud security and BYOD security. The IAS also have additional specic requirements for each control compared to ISO 27001, ISO 27001, namely sub-controls, document document requirements requirements and performance indicators. From a high level perspective, organisations (or entities as the IAS terms them) in the UAE need to comply with the common IAS standards and and any specic IAS standards relating relating to their industry sector . Organisations need to report compliance progress to sector regulators, who then report to NESA. The IAS are based on organisations understanding their their information security requirements, which will involve carrying out risk assessments, implementing security controls, monitoring those controls, and ensuring continual improvement.

https://www.dionach.com/blog/nesa-uae-information-assurance-standards



1/6

11/07/2017

NESA UAE Information Assurance Standards | Dionach

The risk assessment mandated by the M2 control family in the IAS requires specic steps in the risk assessment, which are very close to the ISO 27001 risk assessment requirements. Firstly the organisation needs to determine the context and scope, and then establish the risk criteria and risk methodology. The organisation then needs to identify risks, threats, vulnerabilities, impacts and likelihoods along with a resulting risk level. The risk criteria will then determine whether risks are acceptable or need treatment. The organisation needs to then monitor risks and regularly review the risk assessment. The list of security controls within the IAS are applicable depending on whether they are marked as “always applicable” or whether they are applicable determined by the risk assessment. Controls are prioritized to allow an incremental implementation, although all are mandatory based on whether the controls are applicable. Priorities of controls, other than those controls with P1 priority, can be changed based on the risk assessment outcome. Each control has a number of sub-controls. The sub-controls give a clear list of requirements for the control. Each control has implementation guidance, which is similar to ISO 27002:2005 but is part of each control, which will help with implementation. The controls are divided into families of management controls and technical controls, as shown in the tables below:

Management control families

Controls

M1 Strategy and planning

15

M2 Information security risk management

11

M3 Awareness and training

8

M4 Human resources security

8

M5 Compliance

13

M6 Performance evaluation and improvement

5

Technical control families

Controls

T1Asset management

10

T2 Physical and environmental security

16

T3 Operations management

17

T4 Communications

15

T5 Access control

22

https://www.dionach.com/blog/nesa-uae-information-assurance-standards



2/6

11/07/2017

NESA UAE Information Assurance Standards | Dionach

T6 Third party security

6

T7 Information systems acquisition, development and maintenance

25

T8 Information security incident management

13

T9 Information security continuity management

4

There are 188 controls of which 60 are management controls and 128 are technical controls. 35 of the management controls are “always applicable”, none of the technical controls are “always applicable”. Each control has one of four priorities, with the number of each as follows:

Priority

Controls

P1

39

P2

69

P3

35

P4

45

NESA has also published a summary list of the P1 controls, with the list in order of relative impact level. For example it shows that controls against malware and good password management can have a very high level impact on attack mitigation. Although there are only 35 controls that are always applicable, it is very likely that many of the other controls will apply. If controls do apply, organisations will still need to achieve compliance regardless of  the priority level of the control. In my opinion there are several stages to achieving and maintaining compliance to the NESA UAE IAS: Gap audit Training Risk assessment Implementation Annual compliance audits

Gap audits determine how compliant organisations are and the actions needed to achieve compliance with estimations of resources and timescales.

https://www.dionach.com/blog/nesa-uae-information-assurance-standards



3/6

11/07/2017

NESA UAE Information Assurance Standards | Dionach

Training gives those who need to be involved in working towards and maintaining compliance with the required knowledge. This will help the organisation implement the IAS more eciently, more quickly and more cost eectively. Training is appropriate for internal stakeholders, information security sta, business unit leaders and certain IT sta. The risk assessment methodology is specic to the M2 control family and can determine which controls apply to each organisation. It is important to start with a risk assessment methodology that ts the  (/) organisation to ensure it is meaningful, ecient and meets the requirements of the IAS. The risk assessment requires input from internal stakeholders and business unit leaders. The gap audit can occur after training and risk assessment, however many organisations benet from seeing what work is needed at the start of the compliance journey. An organisation can also have gap

Assurance (/assurance)

Compliance (/compliance)

audits at key stages of the implementation phase.

Blog (/dionach-blog)

Response (/response)

Research (/research)

Contact (/contact)

Implementation is best done internally. Actions from the gap audit and risk treatment actions from the risk assessment will drive implementation. Annual compliance audits can ensure organisations remain compliant. The compliance audit complements the internal audit process in M6 by providing an external, independent audit. In summary, the NESA UAE Information Assurance Standards are a good set of standards based on solid international information security standards. The IAS also have t he benet of having clear sub-controls and performance indicators, which I think sets them apart. Although ISO 27001 is the international standard for an information security management system, I think any organisation would benet from using the UAE IAS.

POSTED BY BIL

RELATED POSTS LEAVE A COMMENT Your name



https://www.dionach.com/blog/nesa-uae-information-assurance-standards

4/6

11/07/2017

NESA UAE Information Assurance Standards | Dionach

Subject

Comment * Your message

SEND MESSAGE

SEARCH



Search...

SIMILAR ENTRIES

Combining Operational & Cyber Risk Management (/blog/combining-operational-cyber-risk-management-0) Information Security Training (/information-security-training) Gambling Commission ISO 27001 Security Requirements and Penetration Testing (/blog/gambling-commission-iso27001-security-requirements-and-penetration-testing) Risk based Application Penetration Testing (/blog/risk-based-application-penetration-testing) Red Team Security Assessment (/assurance/penetration-testing/red-team-security-assessment) Adventures in Risk Assessments (/blog/adventures-in-risk-assessments) Penetration Testing: A Preventative Security Control (/blog/penetration-testing-a-preventative-security-control) PCI DSS compliance: Ensure an eective use of resources (/blog/pci-dss-compliance-ensure-an-eective-use-ofresources)

RECENT NEWS POSTS

https://www.dionach.com/blog/nesa-uae-information-assurance-standards



5/6

11/07/2017

NESA UAE Information Assurance Standards | Dionach

New York live hack - Wednesday April 26 2017 (/blog/new-york-live-hack-wednesday-april-26-2017-0) Dionach New York Breakfast brieng (/blog/dionach-new-york-breakfast-brieng) Dionach Launches in UAE by Simulating a Cyber Attack in Dubai (/blog/dionach-launches-in-uae-by-simulating-acyber-attack-in-dubai) Telephone scams up 30 percent last year (/news/telephone-scams-up-30-percent-last-year) Hotel Chain Admits Credit Card Security Breach (/news/hotel-chain-admits-credit-card-security-breach) FCC's Latest Vote Favors Net Neutrality (/news/fccs-latest-vote-favors-net-neutrality) Google have disclosed three OS X 0days (/news/google-have-disclosed-three-os-x-0days)

RECENT BLOG POSTS

An introduction to Dionach’s Ransomware Readiness Review (/blog/an-introduction-to-dionach%E2%80%99sransomware-readiness-review) An Overview of OWASP Top 10 2017 (/blog/an-overview-of-owasp-top-10-2017) Adventures in Risk Assessments (/blog/adventures-in-risk-assessments) PCI DSS 3.2 and Changes to PCI SAQs (/blog/pci-dss-32-and-changes-to-pci-saqs) The Risk of Data Recovery from Damaged Drives (/blog/the-risk-of-data-recovery-from-damaged-drives) Android Binary Protection Methods (/blog/android-binary-protection-methods) The Real Impact of Cross-Site Scripting (/blog/the-real-impact-of-cross-site-scripting)

ABOUT DIONACH



https://www.dionach.com/blog/nesa-uae-information-assurance-standards

6/6