In June 2014, the National Electronic Security Authority (NESA) announced a number of key strategies, policies and standards to direct and align national cyber-security efforts all across the United Arab Emirates (UAE).
This announcement came in shortly after a meeting between senior officials from the local and federal entities. These organizations represented the entire spectrum of the Emirates Government. Thereby, a National Cyber Security Program was launched.
What is NESA?
The National Electronic Security Authority (NESA) is a UAE federal authority that operates under the Supreme Council for National Security. NESA is responsible for the advancement of the nation’s cyber security, expanding cyber awareness and creating a collaborative culture rooted in information technology and innovation. In order to achieve their objectives, NESA has devised a new set of guidelines and standards for all government entities and other entities identified as critical national service by NESA. Therefore, compliance to NESA is mandatory for all such entities.
The new rules and regulations stem from a number of existing nation-wide security standards and guidance (such as NIST and ISO 27001). NESA information pack includes various documents, such as the Critical Information Infrastructure Protection Policy (CIIP) and the Information Assurance Standards (IAS).
Here’s what you need to know:
Who Should Comply?
NESA compliance is mandatory for all UAE government entities and other entities identified as critical national service by NESA.. NESA compliance will be applicable and mandatory for all other participating stakeholders who support and deal with critical national information or provide such services. For all other UAE entities, NESA recommends to follow the guidelines on a voluntary basis, in order to participate in raising nation’s minimum security level.
Areas of Compliance
In a technology-driven world, cybercrimes are on the rise and organizations face a continual threat of critical data loss. This not only includes sensitive customer data, but also relevant legal, statutory, financial and operational data necessary for business operations. This is why NESA compliance requirements were introduced and implemented, which include three distinct areas: ISO 27001, PCI DSS and Cyber Essentials.
Objectives of NESA Compliance
The objective of NESA compliance is not only to keep critical data safe, but also to:
Strengthen security of critical information infrastructure and reduce corresponding risk levels;
Detect, respond, and recover from significant cyber security incidents and reduce its impact to the society and economy of the UAE;
Increase cyber security awareness among its workforce and thus build a national capability;
Foster collaboration at sector and national level.
New Control System
It is necessary to understand the difference between NESA’s two compliance frameworks. The ISO 27001 merely provides guidance in the form of additional and detailed documentation. The NESA IAS, on the other hand, contains a brief guidance within different levels of control. It also summarizes the main components that constitute high-level controls and how they should be applied.
Here is how your new control system should be designed like:
Unlike other information security standards across UAE, NESA does not have a defined scope for its application, adoption and implementation. This gives CII controllers the leverage to ensure organization-wide NESA compliance in any way.
Sophisticated hackers do not limit themselves in the same way as organizations. This means that organizations with control deficiencies are susceptible to any hacking attempt and malware from anyone across the globe. Such hackers can attack any part of the business.
For these reasons, NESA recommends all small-to-large organizations, dealing in critical information, to begin compliance with a thorough risk assessment procedure. This exercise can help identify the critical assets that need to be protected against malware, at all costs. It also enables the management to address all security control-related issues, without implementing or pursuing an organization-wide NESA compliance policy.
Audits and Audit Trails
NESA adopts a tiered approach towards enforcing compliance. This is not in any way dissimilar to the merchant levels that have been dealt with under PCI DSS. It is important to note that the level of risk your organization will pose to the UAE information infrastructure will determine how closely NESA regulators will work with you.
Here is how NESA compliance’s audit framework works:
About the Author
Sheikh Shadab is a Cyber Security & IT GRC professional, with over a decade of experience in conceptualizing, selling, managing & executing complex technology projects across industry verticals in India, Middle East, USA and South East Asia.