Quick Facts About UAE’s NESA IAS
Information Technology is ever advancing and has shifted the way businesses operate globally. The very digitalization has brought many changes in favor of enterprise businesses. But, online threats and vulnerabilities are a vital concern for enterprises in the digital background. Cyber-attacks have gone up, and enterprises will need to maintain their system, operations, and environment in the right way. As a result, regulatory and government bodies have set guidelines and standards for corporations to follow.
That’s where the tech blog takes us through – NESA UAE Information Assurance Standards (IAS). NESA is a government body in the UAE that secures critical information infrastructure of the nation. It also aims for improving cyber security throughout the nation. For this, they developed NESA IAS. It is a set of standards and guidelines applicable to entities in different critical zones. The National Electronic Security Authority seeks compulsory compliance with the standard in the UAE.
NESA & UAE IAS
Established in 2012, NESA is the UAE federal body responsible for complete protection of the UAE’s critical information infrastructure. The NESA IAS contains guidelines for government organizations, semi-government organizations, and other business organizations like national service providing entities. NESA is the old name and now it is known as Signals Intelligence Agency (SIA).
The goal of NESA’s IAS standard
The prime purpose of the standard was to enhance cybersecurity in the UAE. Other goals that run behind NESA IAS standard are as follows: –
- Improve the security of cyber assets in the UAE
- Reduce infrastructure security risk levels
- Improve cyber security threat awareness in the UAE
- Develop infrastructure, resources, and technical capabilities
Who should follow the IAS standard?
The very next question would be which organizations would fall under the particular security standard? Compliance shoots a mandatory need in the UAE. The following categories fall under the scope of NESA compliance requirements: –
- Government organizations
- Semi-government organizations
- BSFI, fintech organizations
- Other critical infrastructure organizations in the UAE
But NESA also encourages other entities to be a part of the approach that secures national information infrastructure.
NESA IAS standard & security controls
- The origin of NESA UAE Information Security Standards roots to major international standards like ISO 27001 and NIST. It is from these regulatory standards that NESA adopted its security controls. It is from these regulatory standards that NESA adopted its security controls.
- IAS encloses 188 security controls, divided into four tiers based on priority. The tiers range from P1 to P4, out of which P1 represents the controls with the highest priority and P4 with the least. Moreover, each security controls have more sub controls, compliance requirements and indicators
- Controls listed in NESA assessment sticks to 24 threats identified by the body from various industry reports. NESA then calculated the existing percentage of breaches and prioritized its security controls. In a way, tier P1 security controls help organizations address 80 % of the identified threats by NESA
- 700 sub controls fall under the primary category in NESA IAS. In this, 136 are mandatory, and the application of the rest (564) depends on NESA assessment results.
- All enterprises that come under the standard must have a risk assessment strategy and method for identifying complete risks and vulnerabilities. By doing this, enterprises can calculate the potential impact associated with each risk, helping them identify various risk levels. It can determine if any extra sub controls are required. Also, enterprises need to check and review these risks on a regular basis.
- Security controls go further divided into technical and management controls. There exist 60 management controls and 128 technical controls in total.
- Management controls sticks to information security risk management, compliance efforts, awareness & training, human resource security, performance evaluation and improvement.
- Technical controls deal with physical and environmental security, assets management, operations management, third party security, information security incident management, business continuity management and many more.
- One last point to consider here is that out of the 188 security controls, 35 of the management controls fall under high priority with NESA. Yet, the application of technical controls depends on the provided risk assessment results.
How ValueMentor help organizations in NESA assessment and compliance?
ValueMentor is a leading cyber risk and compliance service provider in the UAE with a vision for improving national cyber security. We help enterprises achieve swift NESA compliance, sticking to the guidelines mentioned in the NESA UAE information assurance standards. Our NESA compliance service involves 4 phases: –
- Assessment
The initial phase involves assessing the organization’s current state of compliance: –
- Critical asset identification
The process involves understanding the organization by identifying its critical business services and information infrastructure. - Gap and risk assessment
Here, the current state of the organization gets assessed and mapped to NESA standards. Also, every risk and vulnerabilities exploiting the gaps goes identified in the phase. - NESA control identification
All applicable controls are identified to mitigate risks, in line with the NESA compliance checklist. - NESA compliance report
We create and deliver NESA mandated reports such as NESA progress reports, risk assessment and management reports, etc. - Control development
- The phase entails the development of controls to treat identified risks and vulnerabilities. NESA risk treatment plans furnish the right direction for the implementation of the phase.
- Develop NESA policies and procedures that form the basis for implementing cyber security practices within the organization.
- Provide security awareness to employees or staff around that can help improve the posture of the organization.
- Developing technical and management controls to mitigate the gaps.
- Security services
The phase helps enterprises fetch existing security best practices for their organization.
- Periodic security testing
It includes vulnerability assessments, penetration testing services and security configuration reviews. - SIEM & incident response
It offers 24/7 security monitoring, security device management and SIEM solution deployment. - Managed infrastructure security
Managed infrastructure security delivers feature like next-gen firewalls, UTMs, URL filters, Wi-Fi/web security, VPN, and remote access security. - Data & endpoint security
DLP solutions, patch management, endpoint security, and mobile device management come under the service line.
- Compliance review
The phase performs periodic reviews of NESA compliance status that drives the success of information management systems.
- NESA performance review
The review involves assessing the performance of ISMS against the specified metrics. It can help improve the ISMS framework of organizations. - NESA internal audit
Periodic internal audits assess the full compliance with various defined policies and procedures. - External audit support
Help assist the customer during the external audit to meet NESA compliance requirements.
Final Thoughts
In the technology-driven world, cyber-attacks are getting extreme and more vigorous. Hence organizations face the very challenge of critical data loss. It can be sensitive customer data, financial & operational data, or legal and statutory data. To protect these critical elements, effectual compliance with NESA marks a mandatory need in the UAE.
And to the greatest need, as a cyber security consulting company, we help you manage information security requirements of the standard with ease and appropriate bearing. Our expert consulting and implementation practices have helped organizations meet and achieve NESA compliance on the right track and tone.
