What is NESA & Why should you be complying with it?
National Electronic Security Authority (NESA) points to the UAE federal authority for monitoring and securing UAE’s critical information infrastructure. In other words, the governing authority is responsible for enhancing cyber security throughout the nation. So, what did they do in order to achieve these objectives? They crafted a new set of guidelines and standards scoping all public entities and for those entities identified as critical national service by NESA.
Hence, NESA compliance requirements stay mandatory for the identified section of entities functioning in the nation. The standard also covers stakeholders who support and associate with critical national information or provide those services. Besides the tight line of applicability, NESA also recommends other entities to be a part of the vision and follow guidelines voluntarily to protect the nation’s information infrastructure.
The following case study illustrates a NESA Audit conducted by ValueMentor Team for a reputable financial organization in the UAE. Without further wait, let us move on to the audit reflections, one by one.
About the Client
The client is a trusted composite Insurer in the UAE region. Their product portfolio includes insurance products and solutions for individuals & corporate businesses. They deliver a higher claim fulfilment to all-around customers with quality service in areas of risk backed by experienced professionals.
The engagement requirement of the client was to: –
- Perform Internal Audit against NESA Compliance standard
Here are the few challenges that stood in the way while performing the Audit.
- The availability of the SPOC person during the assessment impacted information accessibility and communication.
- Stakeholders’ absence at the opening meeting created difficulties in recognizing and communicating the audit approach before the start of the engagement. It also impacted the overall audit schedule.
- The IT operation Team head was reluctant to accept the audit approach in the initial span of the project.
- Prior to the on-site visit, the team specifically communicated the audit program schedule to the client.
- The engagement involved a 3-day on-site and 1-day remote Audit.
- The team also communicated the objectives of the Audit to the team leaders and stakeholders as well.
- Also, assured active participation and support from various client departments, including general insurance, medical and health insurance, HR, IT operation, Sales etc.
- Reviewed the policy, procedures and supporting documents, including the NDA, AMC contracts etc.
- Reviewed all physical security measures to identify gaps/deviations in line with NESA compliance requirements.
Obtained developments or results from the engagement included: –
- Daily Brief and Audit closure with stakeholders
- Arrived on conclusive agreement with all observations and findings
- Completion and submission of the Audit Summary Report with Prioritized Risk Recommendations.
- 11 nonconformities got observed, including 2-major non-conformities and 9-minor non-conformities.
The NESA Compliance Audit got completed in the given timeline with 100 % efficiency and adherence to the outlined specifications of the standard. With due compliance to the set of standard requirements, the client was able to reinforce the security of its critical information infrastructure. Also, it helped them reduce the corresponding risk levels with learning and awareness training on the other end of the project. Moreover, the project turned into a tool, improving the overall efficacy of the client’s security division to detect, react, and recover from cybersecurity incidents.