Article

NESA – The New Standard of Information Security in the UAE

Ben Downton
9 min read

NESA, The National Electronic Security Authority, is a government body tasked with protecting the UAE’s critical information infrastructure and improving national cyber security. To achieve this, they’ve produced a set of standards and guidance for government entities in critical sectors. Compliance with these standards is mandatory.

Though a completely new standard, NESA draws on a number of already established security standards and guidance (such as ISO 27001 and NIST). This article looks at how NESA compares to these other security standards.

The NESA information pack includes various documents, such as the CIIP (Critical Information Infrastructure Protection Policy), and the IAS (Information Assurance Standards). The entire set of standards and compliance process will be referred to as “NESA” throughout this article. Though formally NESA is the government body tasked with tackling cyber security in the UAE through this initiative, these terms are used interchangeably.

Presentation and Guidance

The presentation of the documentation is very well put together, not just from an aesthetic point of view (which has a commercial feel to it), but in the additional guidance. Two large posters have been included which provide an ‘at-a-glance’ view on the breakdown of security controls and the highest priority (P1) controls respectively.

Standards like ISO 27001 and PCI DSS had provided guidance in the form of additional documentation. NESA IAS instead includes brief guidance within each individual control, summarizing what main components make up the high-level control and how it should be applied.

Threat Based Approach

NESA lists 24 threats, ordered by the percentage of breaches as reported by various industry reports from 2012. Each control’s then mapped to which threats it mitigates against - with a reported 80% of breaches able to be successfully mitigated by implementation of the P1 controls. This threat based rather than asset based approach is certainly a step in the right direction to bridging the gap between IT Risk and Business Risk.

Whilst NESA is certainly one of the more comprehensive standards, it may not quite achieve the goal of protecting against advanced threat actors. This is an inherent problem with any standardized approach to security.

In NESA’s case, the depth of the standard means it’s unlikely organizations will achieve full compliance within a number of years. They may focus on achieving this baseline before engaging in other activities not prescribed within NESA.

Organizations should take a two-pronged approach to security. NESA captures this in some way with the split between Management and Technical control areas, but can’t cover in detail the activities highly specific to each organization. This includes mapping attack paths, simulating targeted attacks, detailed threat profiles, and more.

Scope

Unlike many other information security standards, NESA doesn’t define a scope (or allow management to define a scope) to which it should be applied. The scope of compliance is the entire organization.

In some ways this is quite pragmatic, as a common failing of organizations is limiting the environment to which security controls are applied. A sophisticated attacker doesn’t limit themselves in the same way, and will target any part of the business and any process (IT or not) to achieve their objective.

In practice, this is likely to present a challenge for an organization of any significant size, i.e. any that would be part of the critical information infrastructure. The requirement to begin the compliance process with a risk assessment should also identify the most critical information assets. These should be addressed as a priority, even where full compliance across organization isn’t possible.

Management

Many of the procedures you’d expect to run alongside implementation of an information assurance program are now included as controls. For example, control M.1.1.1 (Understanding the Entity and its Context) is listed as a P1 control. Though this is a high priority item, both in terms of risk and preceding other controls, organizations may struggle with the conceptual shift in viewing such high-level activities as a control.

Having high-level management activities listed as controls makes auditing and prioritizing much simpler, but organizations should still be cautious about how they implement them. As an example, attempting to implement the control T.5.6.1 Information Access Restriction before successfully achieving M.1.1.1.2 Leadership and Management Commitment isn’t recommended, despite the relative impact levels of each. To paraphrase, all P1 controls are equal but some are more equal than others.

Control Status

Compliance with NESA controls is binary, either compliant or non-compliant. There’s no such thing as minor and major non-compliances within NESA.

This will make achieving compliance with NESA particularly challenging in light of two key factors. Firstly, the applicable scope within your organization is broad. Secondly, some of the controls themselves are also very broad. Establishing them consistently across the estate to an auditable standard will take considerable work.

Despite this, there’s scope for a milestone type of approach, given that controls are categorized from P1 (highest) to P4 (lowest). Whilst there are no degrees of success within a particular control, non-compliance with a P4 control will represent significantly less risk than non-compliance of a P1 control. In this way an organization can still demonstrate progress, despite still being in a non-compliant state.

Audits and Compliance Process

NESA operate a tiered approach to enforcing compliance, not dissimilar to the merchant levels detailed within the PCI DSS. The level of risk your organization poses to the UAE information infrastructure, both as a result of your current security controls and the inherent risk of your sector, determines how closely the sectors regulator and NESA will be working with you.

Escalation of Compliance Process

Impact

Reporting

Maturity-based self-assessment by stakeholders in line with mandatory vs. voluntary requirement

Auditing

When appropriate, NESA can audit stakeholders by requesting specific evidence in support of self-assessment report

Testing

When appropriate, NESA can commission tests of information security measures in place at stakeholders

National Security Intervention

In extreme cases, NESA should be able to directly intervene when an entity’s activities are leading to unacceptable national security risks

We often get asked about the penalties of non-compliance, particularly with mandatory standards such as NESA. Specific penalties aren’t prescribed within NESA, however the escalation of scrutiny from industry regulators and NESA shouldn’t be taken lightly.

As the standard is based on identified real-world threats, non-compliance almost certainly leaves your organization exposed to attack, having far greater significance than any penalties that could be imposed.

Summary

Overall NESA is a very good information security standard, with a number of impressive steps forward. Like any new standard, there will be some initial difficulties in obtaining and monitoring compliance that need to be ironed out. However, the culture of rapid change and improvement in the UAE should accelerate this process.

Any entities within the UAE that must comply with NESA begin transitioning their current information security assurance program. Entities that don’t have to comply should seriously consider adopting the relevant parts of the standard anyway as a secure baseline against cyber attacks.

Sign up for the latest insights

Accreditations & Certificates

F-Secure Consulting is a value-added supplier and have a B-BBEE procurement recognition level of 100%. Learn more

Follow us
@fsecure_consult F-Secure-Consulting /fsecurelabs