NESA – UAE’s Information Security Standard
NESA, The National Electronic Security Authority, is a government body tasked with protecting the UAE’s critical information infrastructure and improving national cyber security. To achieve this, NESA have produced a set of standards and guidance for government entities in critical sectors. Compliance with these standards is mandatory.
NESA draws on a number of already established security standards and guidance (such as ISO 27001 and NIST). The NESA information pack includes various documents, such as the CIIP (Critical Information Infrastructure Protection Policy), and the IAS (Information Assurance Standards).
The presentation of the documentation is very well put together, not just from an aesthetic point of view (which has a commercial feel to it), but in the additional guidance. Standards like ISO 27001 and (until recently) PCI DSS had provided guidance in the form of additional documentation. NESA IAS instead includes brief guidance within each individual control, summarising what main components make up the high-level control and how it should be applied.
Threat Based Approach:
NESA lists 24 threats, ordered by the percentage of breaches as reported by various industry reports from 2012. Each control is then mapped to which threats it mitigates against. This approach to an information security standard, being threat based rather than asset based, is certainly a step in the right direction to bridging the gap between IT Risk and Business Risk.
Unlike many other information security standards, NESA does not define a scope (or allow management to define a scope) to which it should be applied. The scope of compliance is the entire organisation. In practice, this is likely to present a challenge for an organisation of any significant size (i.e. any that would be part of the critical information infrastructure). The requirement to begin the compliance process with a risk assessment should also identify the most critical information assets, which should be addressed as a priority even where full compliance across organisation isn’t possible.
UAE IAS lists 188 security controls in a prioritized approach. There are four priorities defined, and the controls are grouped into these four priorities. P1 Controls are mostly the management controls, with some technical security requirements.
From the 188 controls, NESA mandates 35 controls that help entities in building the information security foundation. These controls are required to be implemented by all the relevant entities irrespective of the outcome of the NESA Risk Assessment results.
Many of the procedures which you would expect run alongside implementation of an information assurance programme are now included as controls. For example control M.1.1.1 (Understanding the Entity and its Context), something many will recognise directly from the ISO27001 standard, is listed as a P1 control. Certainly this is a high priority item, both in terms of risk and preceding other controls, but organisations may struggle with the conceptual shift in viewing such high-level activities as a control. Having high-level management activities listed as controls does make auditing and prioritising much simpler, but organisations should still be cautious about how they implement them.
Compliance with NESA controls is binary, either compliant or non-compliant. There isn’t such a thing as minor and major non-compliances within NESA.
This will make achieving compliance with NESA particularly challenging in light of two key factors. Firstly, as discussed earlier, the applicable scope within your organisation is broad. Secondly, some of the controls themselves are also very broad, and establishing them consistently across the estate to an auditable standard will take considerable work.
Audits and Compliance Process:
NESA operate a tiered approach to enforcing compliance, not dissimilar to the merchant levels detailed within the PCI DSS. The level of risk your organisation poses to the UAE information infrastructure, both as a result of your current security controls and the inherent risk of your sector, determine how closely the sectors regulator and NESA will be working with you.
Specific penalties are not prescribed within NESA, however the escalation of scrutiny from industry regulators and NESA should not be taken lightly.
It is strongly recommend any entities within the UAE that must comply with NESA begin transitioning their current information security assurance programme. Those entities that do not have to comply should seriously consider adopting the relevant parts of the standard anyway as a secure baseline against cyber attacks.
Source | MWR Security