Decoding NESA

The Next Frontier in Banking

Mobile App s and the

Associate Security Risks &
Threats

Understanding UAEs Information

Security Standard
Understanding UAEs Information Security Standard
Introduction to NESA
The National Electronic Security Authority (NESA) is a
UAE federal authority that operates under the Supreme
Council for National Security. NESA is responsible for the
advancement of the nations cyber security, expanding
cyber awareness and creating a collaborative culture
rooted in information technology and innovation. To
achieve these tasks, NESA have outlined a set of
standards known as the UAE IA Standards to
implement information security controls around
information infrastructures supporting critical national
services.. These standards are a crucial part of the NCSS
(National Cyber Security Strategy) and are the minimum
requirements for entities to assimilate into the Sector
and National platforms.
It is mandatory for all UAE government entities and
other entities identified as critical by NESA to apply its
requirements to the usage, processing, storage, and
transmission of information, both in physical &
electronic form. Compliance with NESA can help
entities in the following ways:
Strengthen security of critical information
infrastructure and reduce corresponding risk levels;
Detect, respond, and recover from significant cyber
security threat incidents and reduce its impact to the
society and economy of the UAE;
Increase cyber security awareness among its
workforce and the capability of the nation;
Foster collaboration at sector and national level.
The UAE IA Standards provides management and
technical information security controls for entities to
establish, implement, maintain, and continuously
improve information assurance. It promotes a life
cycle approach for establishing, implementing,
PALADION NETWORKS 2
maintaining, and continuously improving Information
Assurance. This life cycle approach ensures continual
improvement of the UAEs Information Assurance
capabilities based on well-defined activities:
UNDERSTANDING an entitys and/or sectors
information security requirements, identifying the
need to establish a clear policy, and meeting the
objectives for raising information security;
CONDUCTING risk assessments, identifying
appropriate risk treatment actions, and selecting the
appropriate controls to manage the risks;
IMPLEMENTING and operating security controls to
manage information security risks in the context of
the entitys or sectors overall business risks;
MONITORING and reviewing the performance and
effectiveness of the information security processes
and its controls.
ENSURING continual improvement based on
objective measurements.
Performing a risk management policy is a key step
towards the implementation of the UAE IA Standard,
as it helps entities identify, prioritize, and measure the
effectiveness of the security controls that are needed
to treat identified entity-specific risks. Critical entities
implementing this standard will have to refer to the
National Cyber Risk Management Framework
(NCRMF), which highlights the National Risk
Management approach and process of Critical
Information Infrastructure.
The security controls contained in NESA UAE IA
Standard are developed to treat a typical entity risk
profile and are grouped in four priority levels based on
their relative impact to:
Understanding UAEs Information Security Standard PALADION NETWORKS 3

1. Mitigate common threats and begin implementing these Standards with P1 security
controls given their highest relative impact in
2. Build foundational capabilities.
protecting against critical threats and building
foundational Information Assurance capabilities.

Priority Level Number of Controls The overall set of security controls that are Always
Applicable and those security controls that have been
P1 39
determined as being applicable based on the risk
P2 69 assessment are mandatory for the entity to

P3 35 implement, and will be the basis of the compliance

monitoring scheme.
P4 45
The figure below describes the four levels of
monitoring that NESA will use to manage entities

While this common risk profile including the above 188 meeting compliance of the NESA UAE IA Standard:

controls are widely applicable to implementing

entities, NESA recognizes that entity risk profiles do National
Testing Security
differ based on their specific business and operational Intervention
Auditing
context. Therefore, UAE IA Standard requires entities Reporting
considering implementation to identify security
controls based on risk assessment results. An
individual entity may exclude some security controls
on the basis of the risk assessment outcomes,
provided that adequate justification is submitted to
NESA. Reporting:

However, there are 35 mandatory controls out of the NESA will consolidate maturity-based self-
above 188 controls that are referred as Always assessments by stakeholders to generate entity,
Applicable in the standard, as these represents sector and national views. This may be more targeted
requirements for instituting foundational IA for diagnostic analysis of critical entities.
capabilities within an entity. Given their foundational
Auditing
role, the Always Applicable security controls needs
to be implemented by each relevant entity regardless When appropriate, NESA may audit stakeholders by
of its risk assessment outcomes. Prior to performing requesting specific evidence in support of self-
the risk assessment process, an entity should assessment reports.
consider all security controls to be applicable.
Testing
While all the applicable security controls across the
four priority levels are mandatory for critical entities
implementing these Standards, they are required to
Understanding UAEs Information Security Standard
When appropriate, NESA can commission tests of
information security measures in place at
stakeholders.
National Security Intervention
In extreme cases, NESA may directly intervene when
an entity's activities are consistently leading to
unacceptable national security risks.
Determining the correct compliance check for the
organization depends on the amount of security
threat it poses to the UAE information infrastructure.
This depends on the type of security controls currently
employed by the organization, as well as the type of
sector in which it operates that will inform the extent
to which NESA and the sectors regulator will be
working with the organization.
NESA Security Controls
NESA recommends 188 security controls structured
into 6 management control families and 9 technical
control families as described below. There are also 6
Management Control Families that are detailed as
follows:
1) Strategy and Planning
An information security strategy shall be defined and
an operating model will be developed to adhere to the
strategy. In addition, information security plans shall
be developed for each major service to identify and
mitigate the risks corresponding to each service.
2) Information Security Risk Management
An information security risk management process
shall be implemented to conduct risk assessments,
statements of applicability, security testing, and
PALADION NETWORKS 4
evaluations of information security controls on
applicable services.
3) Awareness and Training
An awareness and training program shall be
implemented to inform entities of risks associated
with their activities and to ensure that entities are
adequately trained to carry out their assigned
information security responsibilities.
4) Human Resource Security
Human resources security requirements and security
responsibilities shall be addressed prior to
employment, during employment, and after
termination or change of employment.
5) Compliance
Entities shall comply with legal requirements, security
policies, and technical standards.
6) Performance Evaluation and Improvement
Entities shall ensure that information security
performance is measured, analyzed, and evaluated.
The 9 Technical Control Families are explained as the
following:
1) Asset Management
Assets shall be managed and information shall be
classified and labeled to ensure that assets, along
with information, receive an appropriate level of
information security.
2) Physical and Environmental Security
Physical and environmental security measures shall
be implemented to ensure critical or sensitive
information systems are physically protected from
unauthorized access, damage and interference, and all
Understanding UAEs Information Security Standard
equipments are protected from physical and
environmental threats.
3) Operations Management
Operational procedures and responsibilities shall be
developed to ensure an adequate level of information
security is achieved. In addition, backup, media
handling, e-services security, and monitoring
capabilities shall be addressed to ensure protection
against malicious code and spyware.
4) Communications Security
Network security and information sharing shall be
addressed to ensure protection of information in
transit.
5) Access Controls
Access control processes shall be developed to control
access to information, manage user access, and
control access to internal and external network
services, operating systems, applications, and to apply
appropriate protection when using mobile computing
and teleworking services.
6) Third Party Security
Third-party security shall be managed to ensure third
parties implement and maintain the appropriate level
of information security and service delivery. Also, all
information that is stored, processed, and retrieved,
including via cloud services, will be ensure that it is
secure.
7) Information Systems Acquisition Development and
Maintenance
An information systems acquisition, development,
and maintenance process shall be implemented to
prevent unauthorized modification or misuse of
information in applications. This will be carried out to
PALADION NETWORKS 5
ensure that a cryptographic control policy is in place
for maintaining security in development and support
processes, as well as to manage technical
vulnerabilities.
8) Information Security Incident Management
Information security events and weaknesses shall be
reported and evidence of security incidents shall be
collected and analyzed to ensure that information
security events and weaknesses are properly
communicated and security incidents are adequately
managed.
9) Information Security Continuity Management
A business continuity management process shall be
implemented to counteract interruptions to business
activities, in addition to protecting critical business
processes from information system failures.
Paladion Control Implementation Advisory
All of the aforementioned security controls should be
implemented through adequate planning by
addressing 5 critical parameters of any management
system:
1. Organizational structure implementation;
2. Manpower recruitment;
3. Information security processes implementation;
4. Infrastructure and application implementation;
5. Awareness and Training requirements.
Paladion has expertise in enabling organizations to
meet NESA compliance standards. We propose a
detailed implementation of the NESA UAE IA Standard
in a phased wise manner as shown below.
Understanding UAEs Information Security Standard PALADION NETWORKS 6

Phase 2: Gap & Risk Assessment- This will involve

Critical Services Identification comprehensive benchmarking of existing information
security capabilities of the implementing entities vis-
Gap & Risk Assessment
-vis the 188 controls of NESA UAE IA Standard,
assessing the threats, vulnerabilities, and risks that
Control Development & Implementation can result from the identified gaps, and defining cyber
security controls that can mitigate the identified risks,
Control Effectiveness Check & Audit
along with a detailed NESA implementation roadmap
based upon identified applicable cyber security
controls. The implementation roadmap will consider
the control prioritization as prescribed by NESA.

Phase 1: Critical Service Identification- This will
involve detailed project planning, high
understanding of the organization by Paladion Subject
Matter Experts, identification of critical business
services whose loss in CIA can lead to direct sectoral
and national level. Finally, mapping the underlying
information infrastructure (in both electronic and
physical form) to the critical business services is also
included.
Phase 3: Control Development & Implementation-
level This will involve comprehensive advisory by Paladion
Subject Matter Expert in development &
implementation of NESA security controls. This will be
approached in a sequential manner starting from the
P1 controls. Paladion Subject Matter Experts will first
assist in the development & implementation of P1, P2,
P3, and P4 security controls in a sequential manner.
Implementation support will also include a

Project Planning Assess existing control Prioritize development Assess performance of

Phase 1

Phase 2

Phase 3

Phase 4

gaps vis-a-vis NESA of P1 controls the implemented

High Level Organization
UAE IA Standard controls
Understanding Implement P1 controls
Assess threats and Conduct pre-
Identify Critical Develop P2 Controls
vulnerabilities that can compliance audit
Business Services
exploit the gaps Implement P2 Controls
Assist organization in
Identify information
Identify Cybersecurity Develop P3 Controls meeting compliance to
infrastructures
controls that will reduce Implement P3 Controls NESA requirements
supporting critical
the identified risks during the compliance
national service Develop P4 Controls
audit.
Define a detailed NESA
Implement P4 Controls
Implementation
Roadmap Conduct comprehensive
security awareness
program
Understanding UAEs Information Security Standard PALADION NETWORKS 7

comprehensive security awareness program covering Paladion is privileged to offer consulting services to
all the security controls. help organizations meet compliance regulations and
laws. With over 15 years of experience in the
Phase 4: Control Effectiveness Check & Audit- This
information security industry, we know first-hand the
will involve one full round of performance evaluation
challenges in protecting your information assets.
of the implemented P1, P2, P3, and P4 security
controls, one full round of pre-compliance audit to
check the maturity level of entitys security posture,
and assistance provided to the organization in
meeting compliance to NESA requirements during the
compliance audit.

Furthermore, it provides information security

continuity management, in addition to a 5 step
evaluation and improvement approach, development
of SMART goals, and guidelines on hardware,
software, and employee protection.
Understanding UAEs Information Security Standard PALADION NETWORKS 8

ABOUT PALADION
Paladion Networks is a specialized partner for information risk management providing
end-to-end services and solutions in the US,Europe,Asia and the Middle East. Paladion is
rated and has been recognized and awarded by Gartner, Asian Banker and Red
Herring,amongst others.

For over 15 years, Paladion has been actively managing information risks for over 700
customers. Paladion provides a complete spectrum of information risk management
comprising of security assurance, compliance, governance, monitoring, security analytics
and security management services to large and medium-sized organizations. Paladion is
also actively involved in several information risk management research forums and has
authored many books on the same. With a staff of over 800 dedicated security experts,
Paladion has 6 Security Operations Centers (SOCs) across the world.

Please visit www.paladion.net for more information.

.........................................................................................................................................................................

Head Office: Bangalore: Shilpa Vidya, 49 1st Main, 3rd Phase, JP Nagar, Bangalore- 560078
Phone : +91-80-42543444, Fax : +91-80-41208929

Abu Dhabi: +971-55-9891227, Bangkok: +66 23093650-51, Doha: +974 33559018,

Dubai: +971-4-2595526, Jakarta: +62-8111664399,Kuala Lumpur: +60-3-7660-4988,
London: +44(0)20 7148 7475, Mumbai: +91 022 33655151, Riyadh: +966 ( 0 ) 11 4725163,
Stuttgart:+49-711-7224-9626, Toronto: +-416-273-5004, Virginia: +1-703-8713934,
Muscat: +968 99383575 (Business Associates)
[email protected] | www.paladion.net