11/07/2017 NESA The New Standard of Information Security in the UAE

Our Thinking

+
Article
NESA The New Standard of Information Security in the UAE
By Ben Downton, 6 April 2015

An analysis of NESA and how it compares to other security standards such as ISO 27001 and NIST.

NESA, The National Electronic Security Authority, is a government body tasked with protecting the UAEs critical information infrastructure and improving national
cyber security. To achieve this, NESA have produced a set of standards and guidance for government entities in critical sectors. Compliance with these standards is
mandatory.

NESA image

Though a completely new standard, NESA draws on a number of already established security standards and guidance (such as ISO 27001 and NIST).What follows
are my thoughts on howNESA compares to these other security standards.

The NESA information pack includes various documents, such as the CIIP (Critical Information Infrastructure Protection Policy), and the IAS (Information Assurance
Standards). Ill collectively refer to the entire set of standards and compliance process as NESA. Though formally NESA is the government body tasked with tackling
cyber security in the UAE through this initiative, I use these terms interchangeably.

Presentation and Guidance

The presentation of the documentation is very well put together, not just from an aesthetic point of view (which has a commercial feel to it), but in the additional
guidance. Two large posters have been included which provide an at-a-glance view on the breakdown of security controls and the highest priority (P1) controls
respectively.

Standards like ISO 27001 and (until recently) PCI DSS had provided guidance in the form of additional documentation. NESA IAS instead includes brief guidance
within each individual control, summarising what main components make up the high-level control and how it should be applied (an example, taken from the standard,
can be seen below).

NESA IAS Control Structure

Figure 1 NESA IAS Control Structure

Threat Based Approach

NESA lists 24 threats, ordered by the percentage of breaches as reported by various industry reports from 2012. Each control is then mapped to which threats it
mitigates against (with a reported 80% of breaches able to be successfully mitigated by implementation of the P1 controls). This approach to an information security
standard, being threat based rather than asset based, is certainly a step in the right direction to bridging the gap between IT Risk and Business Risk.

Whilst NESA is certainly one of the more comprehensive standards, it may not quite achieve the goal of protecting against advanced threat actors. This is an inherent
problem with any standardised approach to security. In NESAs case, the depth of the standard means it is unlikely that organisations will achieve full compliance within
a number of years, and may focus on achieving this baseline before engaging in other activities not prescribed within NESA.

As I highlighted in my recent article What have the Romans ever done for Cyber Security, organisations should take a two-pronged approach to
security. NESA captures this in some way with the split between Management and Technical control areas, but cannot cover in detail the activities that will be highly
specific to each organisation mapping attack paths, simulating targeted attacks, detailed threat profiles etc.

Scope

Unlike many other information security standards, NESA does not define a scope (or allow management to define a scope) to which it should be applied. The scope of
compliance is the entire organisation.

In some ways this is quite pragmatic, as a common failing of organisations is to limit the environment to which security controls are applied. A sophisticated attacker
does not limit themselves in the same way, and will target any part of the business and any process (IT or not) to achieve their objective.

In practice, this is likely to present a challenge for an organisation of any significant size (i.e. any that would be part of the critical information infrastructure). The
requirement to begin the compliance process with a risk assessment should also identify the most critical information assets, which should be addressed as a priority
even where full compliance across organisation isnt possible.

Management

Many of the procedures which you would expect run alongside implementation of an information assurance programme are now included as controls. For example
control M.1.1.1 (Understanding the Entity and its Context), something many will recognise directly from the ISO27001 standard, is listed as a P1 control. Certainly this
is a high priority item, both in terms of risk and preceding other controls, but organisations may struggle with the conceptual shift in viewing such high-level activities as
a control.

Having high-level management activities listed as controls does make auditing and prioritising much simpler, but organisations should still be cautious about how they
implement them. For example, attempting to implement the control T.5.6.1 Information Access Restriction before successfully achieving M.1.1.1.2 Leadership and
Management Commitment would be foolish, despite the relative impact levels of each. To paraphrase, all P1 controls are equal but some are more equal than others.

Control Status
https://www.mwrinfosecurity.com/our-thinking/nesa-the-new-standard-of-information-security-in-the-uae/ 1/4
11/07/2017 NESA The New Standard of Information Security in the UAE
Control Status

Compliance with NESA controls is binary, either compliant or non-compliant. There isnt such a thing as minor and major non-compliances within NESA.

This will make achieving compliance with NESA particularly challenging in light of two key factors. Firstly, as discussed earlier, the applicable scope within your
organisation is broad. Secondly, some of the controls themselves are also very broad, and establishing them consistently across the estate to an auditable standard
will take considerable work.

Despite this, there is scope for a milestone type of approach, given that controls are categorised from P1 (highest) to P4 (lowest). Whilst within a particular control there
are no degrees of success, non-compliance with a P4 control will represent significantly less risk than non-compliance of a P1 control. In this way an organisation can
still demonstrate progress despite still being in a non-compliant state.

Audits and Compliance Process

NESA operate a tiered approach to enforcing compliance, not dissimilar to the merchant levels detailed within the PCI DSS. The level of risk your organisation poses to
the UAE information infrastructure, both as a result of your current security controls and the inherent risk of your sector, determine how closely the sectors regulator
and NESA will be working with you.

Reporting

Maturity-based self-assessment by stakeholders in line with mandatory vs. voluntary requirement

Auditing

When appropriate,NESAcan audit stakeholders by requesting specic evidence in support of self-assessment report

Testing

When appropriate,NESAcan commission tests of information security measures in place at stakeholders

National Security Intervention

In extreme cases,NESAshould be able to directly intervene when an entitys activities are leading to unacceptable
national security risks

We often get asked about the penalties of non-compliance, particularly with mandatory standards such as NESA. Specific penalties are not prescribed within NESA,
however the escalation of scrutiny from industry regulators and NESA should not be taken lightly. As the standard is based on identified real-world threats, non-
compliance almost certainly leaves your organisation exposed to attack, having far greater significance than any penalties that could be imposed.

Summary

Overall I think NESA is a very good information security standard, with a number of impressive steps forward. Like any new standard there will be some initial
difficulties in obtaining and monitoring compliance that need to be ironed out, but the culture of rapid change and improvement in the UAE should accelerate this
process.

I would strongly recommend any entities within the UAE that must comply with NESA begin transitioning their current information security assurance programme.
Those entities that do not have to comply should seriously consider adopting the relevant parts of the standard anyway as a secure baseline against cyber attacks.

+
Share

+
Accreditations

https://www.mwrinfosecurity.com/our-thinking/nesa-the-new-standard-of-information-security-in-the-uae/ 2/4
11/07/2017 NESA The New Standard of Information Security in the UAE

MWR InfoSecurity provide specialist advice and solutions in all areas of cyber security, from professional and managed services, through to developing commercial and
open source security tools. More about MWR.

+ For Petyas sake, learn from these attacks!

+ Examining Microsofts latest patch release

+ Reuters: Clues to ransomware worm's lingering risks

+ TechRepublic: Patching XP forever won't stop next WannaCrypt

+ SC Mag: Google phishing attack nets one million accounts

+ Accounting Web: The data accountants forget to keep safe

Copyright 2017 MWR InfoSecurity

Top Sitemap

B-BBEE (South Africa) Environmental Policy

Privacy policy Terms of use

Careers Contact us

https://www.mwrinfosecurity.com/our-thinking/nesa-the-new-standard-of-information-security-in-the-uae/ 3/4
11/07/2017 NESA The New Standard of Information Security in the UAE

https://www.mwrinfosecurity.com/our-thinking/nesa-the-new-standard-of-information-security-in-the-uae/ 4/4