In the history of Information Security the most refined working framework for standardizing the evaluation of security was published in the 80’s in US by the name “Trusted Computer System Evaluation Criteria” aka the ”Orange Book”. Since then several information Security standards like IS027001, COBIT, NIST, OWASP top 10, PCI etc. have been established for standardizing the information Security evaluation.
The rise in sophisticated and targeted cyber attacks has become a challenge for organizations worldwide. In addition to that the demands from business stakeholders to ensure utmost data security and compliance or face heavy penalties and legal proceedings has forced entities to raise their security standards.
To comply with such requirements NESA, The National Electronic Security Authority a government body of UAE was assigned the responsibility to create a standard cyber security framework that can help entities across UAE to follow a common information security practice. Thus UAE IA Standards was developed as a critical element to the National Information Assurance Framework (NIAF).This framework provide guidance for elevating the level of Information Assurance to entities implementing this framework.
Although the framework inherits the criteria’s and controls from frameworks like ISO 27001, COBIT , NIST , SANS and Abu Dhabi Systems and Information Centre (ADSIC) but it uniquely identifies the control requirements and priorities for providing Information Assurance to distinct business sectors.
Comparing the Frameworks life cycle to standard PDCA models.
The standard provides a generic risk assessment methodology of Risk Identification, Estimation (Measure), Evaluation and Treatment. There are not enough details provided, detailing the Estimation and Evaluation criteria’s. This means the standard suggests entities to adopt and create a Risk Assessment Methodology based on their own business requirements. Some of the common Risk Assessment methodologies in practise are as below.
- OCTAVE : Operationally Critical Threat, Asset and Vulnerability Evaluation
- Risk Management Guide for Information Systems Developed by National Institute of Standards and Technology(NIST), Sp 800-30
- Guide to ISO27001 Risk Assessment and Risk Management
- Factor Analysis of Information Risk (FAIR)
- Threat Agent Risk Assessment (TARA)
- ISACA Risk IT
- Facilitated Risk Analysis and Assessment Process (FRAAP)
“If Policies are the foundation component of any mature information security program, then risk management needs to be the lens through which you view the organization”
UAE IA controls are mainly categorized under 6 management controls group and nine technical control group. Below is a list of control categories under each group.
These Controls are further categorized into four priority levels i.e P1 , P2 , P3 and P4. There a few controls which are always applicable or termed as the critical controls and other controls applicability are dependent on the outcome of Risk Assessment and is dependent on the entity risk Treatment requirements. The framework also states that any exclusions on applicability of these controls have to be justified with proper evidence.The total number of controls assigned to each priority level has been provided in the table below.
Auditing UAE -IA Standards
Any auditor familiar with ISO 27001 or COBIT will not have any issues auditing the IA Standard controls as they are quite similar. The auditor must see that the extensive sets of controls are applicable to an entity based on its requirements.
In future blogs we will be discussing a case study of usage of UAE IA Auditing standard, the major challenges faced during an audit and the common mistakes organizations do while establishing such a Framework.
About Priyabrata Mohanty,
Priyabrata Mohanty is an information security enthusiast and Director at “ iSecurion Technology and Consulting Pvt Ltd.”