Article

NESA – The New Standard of Information Security in the UAE

An analysis of NESA and how it compares to other security standards such as ISO 27001 and NIST.

NESA, The National Electronic Security Authority, is a government body tasked with protecting the UAE’s critical information infrastructure and improving national cyber security. To achieve this, NESA have produced a set of standards and guidance for government entities in critical sectors. Compliance with these standards is mandatory.

NESA image

Though a completely new standard, NESA draws on a number of already established security standards and guidance (such as ISO 27001 and NIST).What follows are my thoughts on howNESA compares to these other security standards.

The NESA information pack includes various documents, such as the CIIP (Critical Information Infrastructure Protection Policy), and the IAS (Information Assurance Standards). I’ll collectively refer to the entire set of standards and compliance process as “NESA”. Though formally NESA is the government body tasked with tackling cyber security in the UAE through this initiative, I use these terms interchangeably.

Presentation and Guidance

The presentation of the documentation is very well put together, not just from an aesthetic point of view (which has a commercial feel to it), but in the additional guidance. Two large posters have been included which provide an ‘at-a-glance’ view on the breakdown of security controls and the highest priority (P1) controls respectively.

Standards like ISO 27001 and (until recently) PCI DSS had provided guidance in the form of additional documentation. NESA IAS instead includes brief guidance within each individual control, summarising what main components make up the high-level control and how it should be applied (an example, taken from the standard, can be seen below).

NESA IAS Control Structure

Figure 1 NESA IAS Control Structure

Threat Based Approach

NESA lists 24 threats, ordered by the percentage of breaches as reported by various industry reports from 2012. Each control is then mapped to which threats it mitigates against (with a reported 80% of breaches able to be successfully mitigated by implementation of the P1 controls). This approach to an information security standard, being threat based rather than asset based, is certainly a step in the right direction to bridging the gap between IT Risk and Business Risk.

Whilst NESA is certainly one of the more comprehensive standards, it may not quite achieve the goal of protecting against advanced threat actors. This is an inherent problem with any standardised approach to security. In NESA’s case, the depth of the standard means it is unlikely that organisations will achieve full compliance within a number of years, and may focus on achieving this baseline before engaging in other activities not prescribed within NESA.

As I highlighted in my recent article “What have the Romans ever done for Cyber Security”, organisations should take a two-pronged approach to security. NESA captures this in some way with the split between Management and Technical control areas, but cannot cover in detail the activities that will be highly specific to each organisation – mapping attack paths, simulating targeted attacks, detailed threat profiles etc.

Scope

Unlike many other information security standards, NESA does not define a scope (or allow management to define a scope) to which it should be applied. The scope of compliance is the entire organisation.

In some ways this is quite pragmatic, as a common failing of organisations is to limit the environment to which security controls are applied. A sophisticated attacker does not limit themselves in the same way, and will target any part of the business and any process (IT or not) to achieve their objective.

In practice, this is likely to present a challenge for an organisation of any significant size (i.e. any that would be part of the critical information infrastructure). The requirement to begin the compliance process with a risk assessment should also identify the most critical information assets, which should be addressed as a priority even where full compliance across organisation isn’t possible.

Management

Many of the procedures which you would expect run alongside implementation of an information assurance programme are now included as controls. For example control M.1.1.1 (Understanding the Entity and its Context), something many will recognise directly from the ISO27001 standard, is listed as a P1 control. Certainly this is a high priority item, both in terms of risk and preceding other controls, but organisations may struggle with the conceptual shift in viewing such high-level activities as a control.

Having high-level management activities listed as controls does make auditing and prioritising much simpler, but organisations should still be cautious about how they implement them. For example, attempting to implement the control T.5.6.1 Information Access Restriction before successfully achieving M.1.1.1.2 Leadership and Management Commitment would be foolish, despite the relative impact levels of each. To paraphrase, all P1 controls are equal but some are more equal than others.

Control Status

Compliance with NESA controls is binary, either compliant or non-compliant. There isn’t such a thing as minor and major non-compliances within NESA.

This will make achieving compliance with NESA particularly challenging in light of two key factors. Firstly, as discussed earlier, the applicable scope within your organisation is broad. Secondly, some of the controls themselves are also very broad, and establishing them consistently across the estate to an auditable standard will take considerable work.

Despite this, there is scope for a milestone type of approach, given that controls are categorised from P1 (highest) to P4 (lowest). Whilst within a particular control there are no degrees of success, non-compliance with a P4 control will represent significantly less risk than non-compliance of a P1 control. In this way an organisation can still demonstrate progress despite still being in a non-compliant state.

Audits and Compliance Process

NESA operate a tiered approach to enforcing compliance, not dissimilar to the merchant levels detailed within the PCI DSS. The level of risk your organisation poses to the UAE information infrastructure, both as a result of your current security controls and the inherent risk of your sector, determine how closely the sectors regulator and NESA will be working with you.

Escalation of Compliance ProcessImpact
Reporting Maturity-based self-assessment by stakeholders in line with mandatory vs. voluntary requirement
Auditing When appropriate, NESA can audit stakeholders by requesting specific evidence in support of self-assessment report
Testing When appropriate, NESA can commission tests of information security measures in place at stakeholders
National Security Intervention In extreme cases, NESA should be able to directly intervene when an entity’s activities are leading to unacceptable national security risks

We often get asked about the penalties of non-compliance, particularly with mandatory standards such as NESA. Specific penalties are not prescribed within NESA, however the escalation of scrutiny from industry regulators and NESA should not be taken lightly. As the standard is based on identified real-world threats, non-compliance almost certainly leaves your organisation exposed to attack, having far greater significance than any penalties that could be imposed.

Summary

Overall I think NESA is a very good information security standard, with a number of impressive steps forward. Like any new standard there will be some initial difficulties in obtaining and monitoring compliance that need to be ironed out, but the culture of rapid change and improvement in the UAE should accelerate this process.

I would strongly recommend any entities within the UAE that must comply with NESA begin transitioning their current information security assurance programme. Those entities that do not have to comply should seriously consider adopting the relevant parts of the standard anyway as a secure baseline against cyber attacks.

 

 

Accreditations

As members of CHECK we are measured against high standards set by CESG for the services we provide to Her Majesty's Government.
We are certified in the ISO 9001 quality management system (QMS) in the UK, ensuring reliable delivery of our products and services.
We are certified to comply with ISO 14001 in the UK, an internationally accepted standard that outlines how to put an effective environmental management system in place.
MWR is certified to comply with ISO 27001 to help ensure our client information is managed securely.
As an Approved Scanning Vendor MWR are approved by PCI SSC to conduct external vulnerability scanning services to PCI DSS Requirement 11.2.2.
We are members of the Council of Registered Ethical Security Testers (CREST), an organisation serving the needs of the information security sector.
MWR is a supplier to the Crown Commercial Service (CCS), which provides commercial and procurement services to the UK public sector.
MWR is a Qualified Security Assessor, meaning we have been qualified by PCI to validate other organisation's adherence to PCI DSS.