Last updated: 18 December 2017
#1) Who is NESA, and what is UAE IAS?
The National Electronic Security Authority (NESA) is the United Arab Emirates (UAE) federal authority responsible for the advancement of cybersecurity across the nation. To protect the UAE’s critical data information infrastructure and improve national cybersecurity, NESA has produced the UAE Information Assurance Standards (UAE IAS), which is a set of standards and guidelines for government entities in critical sectors. Compliance with these standards is mandatory for all government organizations, semi-government organizations and business organizations that are identified as critical infrastructure to UAE.
#2) Why did NESA develop these regulations?
NESA’s UAE IAS regulations were created with the aim to:
•Strengthen the security of UAE cyber assets and reduce corresponding risk levels
• Protect critical infrastructure
• Improve cybersecurity threat awareness in the UAE
• Develop human capital and technical capabilities
#3) How many security controls and standards are there?
UAE IAS is made up of a set of 188 security controls and standards which are grouped into four different tiers, ranging in priority from P1 (highest) to P4 (lowest). NESA created the list of security controls based on 24 threats that were compiled from various industry reports, and prioritized them based on the percentage of breaches that were found. Out of the 188 security controls listed, 39 of them are P1 controls which address 80% of the possible security threats NESA identified. Implementing P1 controls is an organization’s first step towards achieving compliance and building a strong information security foundation against cyberattacks.
#4) What is NESA’s audit and compliance process?
NESA will also be operating on a tiered approach when enforcing UAE IAS compliance. The level of risk that an organization poses to the UAE’s information infrastructure (based on the organizations current security controls and the inherent risk of their industry), will determine how closely NESA and industry regulators will be working with them. Although NESA hasn’t yet outlined a mandatory compliance date for organizations, or any potential fines, these controls are required to be implemented by all the relevant entities, regardless of the outcome of their NESA Risk Assessment results (NESA’s Risk Assessment
Framework is outlined in the table below). Notwithstanding any penalties and fines that NESA could enforce, organizations should start to implement P1 controls to protect against potential data breaches, and mitigate the associated financial and reputational losses.
|Reporting:||Maturity-based self-assessment by stakeholders in line with mandatory vs. voluntary requirement|
|Auditing:||When appropriate, NESA can audit stakeholders by requesting specific evidence in support of self-assessment report|
|Testing:||NESA can recommend certain tests of information security measures currently in place|
National Security Intervention:
|In extreme cases, NESA should be able to directly intervene when an entity’s activities are leading to unacceptable national security risks|
#5) How can Gemalto’s Data Protection and Authentication Solutions Help with Compliance?
Download Gemalto’s UAE IAS Quick Fact Guide to learn more about the security controls and standards set out by NESA, and how Gemalto’s Data Protection and Authentication Solutions can help your organization prepare.