An analysis of NESA and how it compares to other security standards such as ISO 27001 and NIST.
NESA, The National Electronic Security Authority, is a government body tasked with protecting the UAE’s critical information infrastructure and improving national cyber security. To achieve this, NESA have produced a set of standards and guidance for government entities in critical sectors. Compliance with these standards is mandatory.
Though a completely new standard, NESA draws on a number of already established security standards and guidance (such as ISO 27001 and NIST).What follows are my thoughts on howNESA compares to these other security standards.
The NESA information pack includes various documents, such as the CIIP (Critical Information Infrastructure Protection Policy), and the IAS (Information Assurance Standards). I’ll collectively refer to the entire set of standards and compliance process as “NESA”. Though formally NESA is the government body tasked with tackling cyber security in the UAE through this initiative, I use these terms interchangeably.
The presentation of the documentation is very well put together, not just from an aesthetic point of view (which has a commercial feel to it), but in the additional guidance. Two large posters have been included which provide an ‘at-a-glance’ view on the breakdown of security controls and the highest priority (P1) controls respectively.
Standards like ISO 27001 and (until recently) PCI DSS had provided guidance in the form of additional documentation. NESA IAS instead includes brief guidance within each individual control, summarising what main components make up the high-level control and how it should be applied (an example, taken from the standard, can be seen below).
Figure 1 NESA IAS Control Structure
NESA lists 24 threats, ordered by the percentage of breaches as reported by various industry reports from 2012. Each control is then mapped to which threats it mitigates against (with a reported 80% of breaches able to be successfully mitigated by implementation of the P1 controls). This approach to an information security standard, being threat based rather than asset based, is certainly a step in the right direction to bridging the gap between IT Risk and Business Risk.
Whilst NESA is certainly one of the more comprehensive standards, it may not quite achieve the goal of protecting against advanced threat actors. This is an inherent problem with any standardised approach to security. In NESA’s case, the depth of the standard means it is unlikely that organisations will achieve full compliance within a number of years, and may focus on achieving this baseline before engaging in other activities not prescribed within NESA.
As I highlighted in my recent article “What have the Romans ever done for Cyber Security”, organisations should take a two-pronged approach to security. NESA captures this in some way with the split between Management and Technical control areas, but cannot cover in detail the activities that will be highly specific to each organisation – mapping attack paths, simulating targeted attacks, detailed threat profiles etc.
Unlike many other information security standards, NESA does not define a scope (or allow management to define a scope) to which it should be applied. The scope of compliance is the entire organisation.
In some ways this is quite pragmatic, as a common failing of organisations is to limit the environment to which security controls are applied. A sophisticated attacker does not limit themselves in the same way, and will target any part of the business and any process (IT or not) to achieve their objective.
In practice, this is likely to present a challenge for an organisation of any significant size (i.e. any that would be part of the critical information infrastructure). The requirement to begin the compliance process with a risk assessment should also identify the most critical information assets, which should be addressed as a priority even where full compliance across organisation isn’t possible.
Many of the procedures which you would expect run alongside implementation of an information assurance programme are now included as controls. For example control M.1.1.1 (Understanding the Entity and its Context), something many will recognise directly from the ISO27001 standard, is listed as a P1 control. Certainly this is a high priority item, both in terms of risk and preceding other controls, but organisations may struggle with the conceptual shift in viewing such high-level activities as a control.
Having high-level management activities listed as controls does make auditing and prioritising much simpler, but organisations should still be cautious about how they implement them. For example, attempting to implement the control T.5.6.1 Information Access Restriction before successfully achieving M.220.127.116.11 Leadership and Management Commitment would be foolish, despite the relative impact levels of each. To paraphrase, all P1 controls are equal but some are more equal than others.
Compliance with NESA controls is binary, either compliant or non-compliant. There isn’t such a thing as minor and major non-compliances within NESA.
This will make achieving compliance with NESA particularly challenging in light of two key factors. Firstly, as discussed earlier, the applicable scope within your organisation is broad. Secondly, some of the controls themselves are also very broad, and establishing them consistently across the estate to an auditable standard will take considerable work.
Despite this, there is scope for a milestone type of approach, given that controls are categorised from P1 (highest) to P4 (lowest). Whilst within a particular control there are no degrees of success, non-compliance with a P4 control will represent significantly less risk than non-compliance of a P1 control. In this way an organisation can still demonstrate progress despite still being in a non-compliant state.
NESA operate a tiered approach to enforcing compliance, not dissimilar to the merchant levels detailed within the PCI DSS. The level of risk your organisation poses to the UAE information infrastructure, both as a result of your current security controls and the inherent risk of your sector, determine how closely the sectors regulator and NESA will be working with you.
|Escalation of Compliance Process||Impact|
|Reporting||Maturity-based self-assessment by stakeholders in line with mandatory vs. voluntary requirement|
|Auditing||When appropriate, NESA can audit stakeholders by requesting speciﬁc evidence in support of self-assessment report|
|Testing||When appropriate, NESA can commission tests of information security measures in place at stakeholders|
|National Security Intervention||In extreme cases, NESA should be able to directly intervene when an entity’s activities are leading to unacceptable national security risks|
We often get asked about the penalties of non-compliance, particularly with mandatory standards such as NESA. Specific penalties are not prescribed within NESA, however the escalation of scrutiny from industry regulators and NESA should not be taken lightly. As the standard is based on identified real-world threats, non-compliance almost certainly leaves your organisation exposed to attack, having far greater significance than any penalties that could be imposed.
Overall I think NESA is a very good information security standard, with a number of impressive steps forward. Like any new standard there will be some initial difficulties in obtaining and monitoring compliance that need to be ironed out, but the culture of rapid change and improvement in the UAE should accelerate this process.
I would strongly recommend any entities within the UAE that must comply with NESA begin transitioning their current information security assurance programme. Those entities that do not have to comply should seriously consider adopting the relevant parts of the standard anyway as a secure baseline against cyber attacks.