Thursday, 27 August 2020

UAE IA Standards: Measuring Cyber Security Maturity

The UAE has become an emerging technology hub in a fast-evolving interconnected digital world while cyber-threats at a global scale are becoming far more complex, and increasingly inevitable.

The UAE has significant resources and is continuously raising the bar when it comes to innovation. At the same time, smart technologies, automation and technological advances make the region a particularly attractive target to threat actors. Effective cybersecurity strategies are moving from a standalone defensive approach to mandatory security programs representing the competitive advantage among whole organisations.

The UAE's federal body released the UAE Information Assurance (UAE IA) Standards on 25th June 2014, as part of the Cyber Security Framework, to manage the country's cyberspace.

Since the release of the UAE IA standard, the UAE and the globe, has seen a nearly exponential growth of cybersecurity landscape. The lates statistics from various sources depict an exponential growth of the cyber landscape while at the same time, offer trustworthy and actionable recommendations for thought-leaders and decision-makers.

Objective and Importance

The UAE IA standards represent one of the most important initiatives towards a nationwide cyber resilient smart-led digital ecosystem. More specifically:

  • The UAE National Cyber Security Strategy (NCSS) sets the course for the government’s ongoing commitment to protect the national cyberspace.
  • The UAE National Information Assurance Framework(NIAF) is aligned in supporting the implementation of the NCSS.
  • The UAE IA Standards is a critical element of the National Information Assurance Framework(NIAF).
  • The UAE IA Standards outline the requirements that are necessary for elevating the level of IA across all implementing entities in the UAE.

The objective of the UAE IA standards is to help entities across the UAE to follow a common information security practice and ensure utmost security and compliance. This establishes standardisation across the entities implementing this framework. Compliance with this standard is mandatory for all Government entities and any other entities identified as 'Critical', such as an organisation that is identified as part of the Critical National Infrastructure (CNI). The outcome of the UAE IA assessment depicts the overall security posture of e an entity’s Information Security environment. Most importantly the outcome of the assessment is capable of providing a benchmark for measuring Cyber Security Maturity.

Fundamentals of the UAE IA Standards, security assessment and compliance

The UAE IA assessment is a collection of fifteen (15) information security domains which are grouped under management and technical controls (Figure 1).


Figure 1 – The UAE IA Security Controls Summary

More specifically, management controls are composed of six (6) control families, while technical controls are composed of nine (9) control families (Figure 2).


Figure 2 – The UAE IA Security Control families.

The fifteen (15) domains have in total 188 security controls of which sixty 60 controls fall under Management and 128 controls fall under Technical. In addition, each security control has a priority assigned to it which shifts the weight of the outcome allowing to shift the focus and effort towards what matters most. Most importantly, there are thirty-five (35) management controls which are classified as “always applicable”, while the remaining controls are dependent on the outcome of Risk Assessment

UAE IA assessment structure

The assessment should follow a phased approach that includes interactive workshops (interviews), documentation review, analysis (observations) of evidence provided, and report writing (Figure 3).


Figure 3 – The UAE IA assessment phased approach.

The purpose of the assessment is to validate the current capabilities of the Information Security section, identify gaps, highlight omissions when put against industry best practices, and provide recommendations to improve the information security program’s maturity, while mapped against the UAE IA Standards and framework.

More specifically:

  • Interactive workshop (interviews): Interview Meetings are the first step of the UAE IA Assessment, where all in-scope teams are assessed against the relevant and applicable controls.
  • Documentation Review: Evidence collection and review is an important phase which brings into the spotlight the current information security and cybersecurity a) status, b) hygiene, c) maturity and d) potential gaps.
  • Analysis (observations): Assessment remarks are captured and final analysis on controls’ effectiveness is conducted, while considering a holistic perspective.
  • Report Writing: Once analysis is completed, the next step is to develop a draft report and conduct a validation meeting for both GRC and CND findings, before producing the final report and the depicted scorecard.


Comparisons against similar initiatives for compliance:

The UAE IA controls assessment can be considered more comprehensive in comparison to ISO 27001, as there are multiple domains and controls which are not present in ISO 27001, with a particular focus on how effective is each security control implemented. In addition, following best practices from NIST SP 800-53, ISO 20000, COBIT and even PCI DSS and Cyber Essentials are in many cases pre-dominantly more inclined towards “ticking the box” across different IT security initiatives, rather than a holistic approach on how to measure and improve Cyber Security across all verticals of an organisation.

Even though in principle a mapping between the controls of the UAE IA Standards, the ISO 27001 and NIS SP 800-53 is possible and does exist, there is a significant difference between the way an audit is conducted versus how the UAE IA assessment is executed. The figure below (Figure 5) simply summarises the number of controls that exist among the different compliance initiatives one can choose to work on.

Figure 5 – Security Controls across different compliance initiatives

Implementing the UAE IA standards across UAE entities not only ensures the effective compliance with the UAE National Information Assurance Framework (NIAF), as part of the UAE National Cyber Security Strategy (NCSS) but also provides compliance with essential regulatory bodies. Hands-on experience with UAE IA Standards security assessments has made it apparent that ISO 27001 is more of process-oriented standard. In contrast, COBIT and NIST are more technical, while at the same time can be considered as sub-sets of the UAE IA Standards.

As an overall comparison, the UAE IA Standards, provide the perfect balance of both management (process) and technical controls. Hence, more and more organisations are currently opting for UAE IA Standards compliance, as it allows them to comply with other standards as well, such as ISO 27001 (including the implementation of the ISO 27002 security controls).

Summary

The UAE IA assessment, in comparison to the implementation of other industry standards, provides a benchmark when capturing and measuring an entity’s Cyber Security Maturity. Such an approach allows actionable decisions to be made while taking under consideration applicability, priority and status. Consequently, the well-thought structure and depth across both the Management and the Technical controls act as the enabler for continuous improvement towards a well-defined Cyber Resiliency, which can be reflected at a national level if/when needed.

No comments: