NESA stands for National Electronic Security Authority and is a government institution that aims to provide strict guidelines to organizations for keeping their information security capabilities in line with the highest standards to avoid cyber security threats. The compliance requirements are outlined under the UAE IA Standards which require organizations to implement them across their information assets and supporting systems.
Compliance with NESA UAE IA Standard is mandatory for all UAE government entities and other entities identified as critical by NESA as it is an essential facet of the National Cyber Security Strategy and also form as the minimum requirements for integrating the Sector and National platforms. For all other UAE entities, NESA highly recommends following the guidelines on a voluntary basis, in order to participate in raising the nation’s minimum security levels.
Organizations that follow these compliance requirements attain a number of benefits including greater protection of their information assets, and fostering of a security-conscious culture that is useful for overcoming emerging security challenges.
The UAE IA Standards promote a life cycle approach for establishing, implementing, maintaining, and continuously improving Information Assurance. This life cycle approach ensures continual improvement of the UAE’s Information Assurance capabilities based on well-defined activities.
UNDERSTANDING an entity’s and/or sector’s information security requirements and the need to establish a policy and objectives for information security
CONDUCTING risk assessments, identifying appropriate risk treatment actions, and selecting controls to manage the risks
IMPLEMENTING and operating security controls to manage information security risks in the context of the entity’s or sector’s overall business risks
MONITORING and reviewing the performance and effectiveness of the information security processes and controls
ENSURING continual improvement based on objective measurements
Paladion’s sophisticated expertise in crafting information security solutions for enterprises gives it immense credibility to enable organization meet NESA compliance standards. Our NESA compliance service includes industry’s first fully managed solution called NESA Compliance Management Solution (NESA-CMS). This is a one-stop package for entities who are mandated by NESA to demonstrate their compliance to the stringent cyber security requirements of UAE IA standard. It is extremely important for entities to understand that demonstration of initial compliance will be start of journey and not the end. Entities will have to annually showcase their sustenance and increasing maturity of cyber security controls to the sector regulators and in turn to the NESA authorities. To this end, managed model of NESA-CMS will be an extended arm to the entities to efficiently and effectively manage their compliance requirements on an ongoing basis.
MANAGED NESA GRC | MANAGED NETWORK SECURITY | MANAGED ENDPOINT SECURITY | MANAGED MOBILE DEVICE SECURITY | MANAGED SECURITY TESTING & MONITORING |
---|---|---|---|---|
NESA GRC Implementation | Perimeter Security | Endpoint protection | Mobile Device Management | Security Testing |
NESA Compliance Audit Support | Web Proxy | DLP | Mobile Application Management | Security Log collection & analysis |
Ongoing Sustenance of NESA GRC | URL Filter | Patch Management | Mobile Email Management | Log Retention |
Wifi Security | Backup Management | Mobile Browsing Management | Security Incident Management | |
Remote User Access Security | Client VPN | Mobile Endpoint protection | Brand Monitoring |
Paladion’s NESA compliance service includes implementing entities with the flexibility to choose the desired solution component as per their business & compliance requirement.
The implementation of Solution Component-1 is undertaken by Paladion in the following manner.
As part of Paladion’s NESA compliance service, we will develop and implement all P1, P2, P3 and P4 controls prescribed by NESA UAE IA Standard
Priority Level P1 P2 P3 P4
Number of Control 39 69 35 45
The above set of 188 controls includes 35 mandatory controls referred as “Always Applicable”, as these represents requirements for instituting foundational IA capabilities within an entity. Given their foundational role, the “Always Applicable” security controls needs to be implemented by each relevant entity regardless of its risk assessment outcomes. Applicability of the rest of the 153 security controls are decided as an output of the risk assessment results by taking into consideration specific business and operational context of the entity.
The implementation of Solution Component-2 will include deployment & ongoing administration of perimeter security devices e.g. firewall & IPS, web proxies, URL filter, Wi-Fi security, remote user access security etc. Implementing entities will have the choice to select the desired technologies as per the technology requirements of UAE IA Standard.
Firewall/IPS
Gateway Anti-virus
URL/Web Content Filtering
VPN & Roaming User Management
Web 2.0 Controls
Botnet Filtering
Geo-IP Filtering
Proxy Caching
Bandwidth Control
Reports & Dashboards
Policy and Configuration Management
Customer Portal
Wi Fi
Compliance & Monitoring
The implementation of Solution Component-3 will include deployment & ongoing administration of endpoint protection solution, DLP agent, patch management solution, backup & restoration solution, client VPN etc. Implementing entities will have the choice to select the desired technologies as per the technology requirements of UAE IA Standard.
Anti-Virus/Anti-Malware
Firewall
Device Control
Application Control
Patch Management
Desktop Compliance
IT Usage/Productivity
Back-up (local
Client VPN
Inventory
Policy and Configuration Management
Reports & Dashboards
Compliance & Monitoring
Customer Portal
The implementation of Solution Component-4 will include deployment & ongoing administration of mobile device management solution, mobile application management module, mobile email management module, mobile browsing management module, mobile endpoint protection module etc. Implementing entities will have the choice to select the desired technologies as per the technology requirements of UAE IA Standard.
Mobile Device Management (MDM)
Mobile Application Management (MAM)
Mobile Email Management (MEM)
Mobile Browsing Management (MBM)
Mobile Kiosk Management (MKM)
Containerization and App Wrapping
Geo-Fencing
Location Tracking
BYOD Management
Anti-Virus
Policy and Configuration Management
Reports & Dashboards
Compliance & Monitoring
Customer Portal
The implementation of Solution Component-5 will include deployment & ongoing administration of security testing e.g. penetration testing, application security testing, configuration review etc., security log collection & analysis on a 24/7 basis, log retention, security incident management support, brand monitoring service e.g. phishing monitoring, website malware monitoring etc. Implementing entities will have the choice to select the desired technologies as per the technology requirements of UAE IA Standard.
Security Logs Collection/Aggregation
Security Logs Analysis
Configurable Log Retention
Multiple Devices/Platform Support
24×7 Monitoring from SOC
Incident Management Support
Risk-based Alert Prioritization
Alerts through Email/SMS/Portal
Detect both internal & external attacks
Daily Malware Monitoring for Websites
Rules & Alerts Management
Reports & Dashboards
Compliance & Monitoring
Customer Portal
In summary, NESA-CMS included in our NESA compliance service can provide implementing entities with a fully managed solution for cyber security compliance requirements of NESA UAE IA Standard. Paladion is privileged to offer consulting services to help organizations meet regional & international compliance regulations and laws. With over 15 years of experience in the information security industry, we know first-hand the challenges and errors in protecting your information assets.
Copyright All Rights Reserved © 2020