Managing Cyber Threat: UAE Cybersecurity Strategy, Information Assurance Regulation and ISO 27001, part 1/2

Audience:

Technology enthusiasts CIOs, CSOs, IT specialists, IS/IT Sec specialists.

Purpose of this article:

This document is written as a review for Information Systems standards, in particular, UAE National CyberSecurity Strategy. UAE Information Security regulation -IAS, its implementation, and relationship and alignment to international standard ISO 27001.

Document structure: this article is divided into 2 parts; Part 1/2: discussing UAE Cybersecurity Strategy and UAE Information Assurance Regulation, and Part 2/2: discussing ISO 27001.

Introduction:

The widespread implementation of ICT has brought many undisputed benefits to mankind, created the digital economy, and maximized return on business investments in the public and private sectors. ICT will continue to add benefits and opportunities, especially to our business's commercial revenue. These advantages and perks include and not limited to: widely accessible communications leading to improved collaboration, improved customer experience –globally and locally, increased efficiency and productivity, and environmental benefits. The benefits are countless and became vital to the existence of any government economic development, nevertheless, every rose has its thorn.

The Thorn:

A closer look at threats facing the Information Assets, and the concepts of protection against these threats would lead us to the InfoSec “Security Triad” concept; which is a security model represented by a triangle. Each side of the triangle represents the following aspect of Information Systems: Confidentiality, Integrity, and Availability. The information Assets are placed in the center of this triangle. The InfoSec triad is known as CIA security triad.

The most important element of the ICT ecosystem is the Human element (end-users or employees). At the same time, Humans can cause substantial threats to an organization. Malicious attacks can be in a “visible” form, as an example, a “script kiddie” threat actor trying to scan logical ports which generates a lot of alarms and noise in the IT services department, and it can likewise come in a disguised “invisible” form; from an organized crime group or “Black hat cyber actors” as in the recent re-birth of phishing email floods that clears the way to Information extortion Ransomware attacks.

These are the worst and most dreadful that allow threat actors to sneak silently and slowly in order not to initiate an alarm, consequently, breaking defense lines -one after the other. If successful; this would allow these actors to illegally highjack important information ( i.e assets ). The Threat actor would end up encrypting the organization's most important server data and holding the decryption key as ransom. They might also bring online services down. They will ask the victim organization for payment as a condition to release decryption keys and not to publish stolen information. The payment is usually is in the form of cryptocurrency to ensure the anonymity of the attacker. As you’ve noticed, Threat actors have affected the Confidentiality, Integrity, and Availability of an Information system. 

The Non-Human threats can have a huge impact as well; think shortly about impacts of the following risks on the availability and integrity of Information systems: Electric power failures, Fire accidents, Lightning strikes, Air condition or heating systems failure, liquid flooding, Miss handling, Operational faults either deliberate or accidental, Theft, sabotage, earthquakes, and the list goes on.

 The magnitude of damage that might be caused by threats to IT assets or caused by Cyberattacks and other risks can range from small to enormous.

Direct financial losses, disruption of provided services, exposure of client confidential information, hijacking of trade secrets, or the wipeout of existing valuable data is just an example. In different incidents, and as a consequence, these incidents affected the organization’s image and its reputation as direct and resulting impacts, moreover led to legal ramifications. Cyberattacks can be the source of substantial loss that can cause the organization to shut down its operations; therefore, it is apparent that building a “defense long term plan” for all of these assets (including Human Resources) is a must at current times. Long Term plans ( or Strategies ) will support in avoiding damage and to reduce the impact of damage when it occurs and will ensure Information systems Cyber resilience. It is paramount that a defense strategy (more than a plan) must be implemented and enforced.

Standards are created to provide mutual understanding:

The implementation of ICT systems to business, (as in other industries), had led to the development and adoption of different flavors of Information systems assurance standards and frameworks. The most well-known and widespread set of international standards for Information security are:

• SANS Top 20 Critical Security Controls-CIS CSC,
• ISO 27K series,
• National Institute of Standards Institute- NIST 800-53,
• Payment Card Industry- PCI-DSS.

An organization may choose to comply with a particular standard or might use a "hybrid approach" that combines controls from different standards. It all depends on the requirements.

Cyber-attacks extent:

The accidents, incidents affecting ICT infrastructure, and Security Threats, - globally and locally, are overwhelming. It’s worthwhile to mention, the increase of Cyber threats amid and after COVID-19 crisis, as an example of continuously changing face of security at every turn:

UAE updated NCSS:

In June 2019, UAE TRA (Telecommunications Regulatory Authority) has launched an update on the UAE National Cybersecurity Strategy –UAE NCSS.

The updated strategy works as a shield to protect against cybercrime and will support securing (Public sector, Local critical national services, and the Private sector) Information and Communications Technology infrastructure from hostile and malicious Cyberattacks. It would help - as well; to build a healthy and solid security posture for the local organizations to be able to combat malicious Cyberattacks.

As well stated by His Highness Sheikh Mohammed bin Rashid Al Maktoum : “Our aim is not to have the most data, but to unleash the greatest value from data, creating new opportunities and improved experiences for all”. TRA and authorities in the UAE have established the following broad objectives: “ to create a safe and strong cyberinfrastructure in the UAE that enables citizens to fulfill their aspirations and empowers businesses to thrive”- tra.gov.ae from the press release.

This strategy will capitalize on the protection of Confidentiality, Integrity, and Availability while keeping the provision of “IT Services, Functionality, and Operations” simple and smooth supporting innovation and economic development.

Can I live with only ISO 27001, and who has to comply? -All UAE Organizations are involved

For the quick-tempered reader, compliance with the international standard ISO 27001 is voluntary, it is not mandatory for Government entities or private sector organizations as per UAE law.

However, UAE Information Assurance standards -IAS compliance is mandatory for Government and critical entities identified in the Critical Information Infrastructure Protection Policy (CIIP). This also includes contractors or partners who are engaged in business or provide services to the mentioned entities. Applying IAS Framework and its standards is a comprehensive endeavor that includes the controls of the ISO 27001, the IAS is already based on international standards of ISO 27K family and NIST standards.

Compliance will be achieved by undergoing an integrated interaction with “sector regulators” and the Telecommunications Regulatory Authority –TRA, (UAE IA is currently at version 1.1, issued on March 2020 ). -

UAE authorities highly recommend and support the private sector and SMEs to apply and fulfill the IA standard and framework, as it covers the implementation of the international standard ISO 27001 Information Security Management System -ISMS.

Scope of IAS - the protection of the Critical assets- targets the following UAE 9 sectors: Energy, ICT, Government, Electricity and water, Finance and insurance, Emergency services, Health services, Transportation, Food, and agriculture.

Private sector organizations and smaller entities might choose to voluntarily comply and implement ISO 27001 when they decide to take a step forward towards a) better governance of their Information Security, b) ensure utilizing best-practices of InfoSec, and 3) to support in meeting the requirements of international Information security laws. Implementing an effective ISMS is certainly based on the business needs and on the ISMS plentiful advantages, as listed in the below paragraphs.

Implementing compliance with ISO 27001 and its related standards will be an excellent “first step” towards the smooth and easy implementation of UAE and compliance to UAE IA regulation framework and standards. Furthermore, implementing and conformance with UAE IAS would deem the process conformance and compliance to international standard ISO 27001 as an easy job.   

---------------------------------------------------------------------------------------------------------------

UAE National Cybersecurity Strategy -Vision:

---------------------------------------------------------------------------------------------------------------

“To create safe and resilient cyberinfrastructure in the UAE that enables citizens to fulfill their aspirations and empowers businesses to thrive” -www.tra.gov.ae

Five Main columns that raise the Cybersecurity ecosystem ceiling -Strategy Pillars:

Since “absolute security” cannot be achieved by isolated individuals nor by isolated cities (and not even by isolated countries), as the Cyber threats are globally transnational. The following common initiatives will facilitate the collaborative work between all ITC security stakeholders, entities, and individuals to fulfill Cybersecurity and Cyber resilience:

1.     Enforcing Legal framework -Cybersecurity laws & regulations:

While focusing on challenges that are evolving existing and emerging technologies ( as in Cloud Services, AI, IoT, Encryption/Digital certificates / eSignature , Blockchain, the NCSS is creating a legal and regulatory framework that will support Cyberdefense. The law and regulations will be under regular development to ensure the inclusion and coverage of new technological innovations in the fast-changing Cyberspace. 

This will help the Public Sector, Private sector, and individuals in addressing continuously evolving Cyberthreat tactics, and would help in selecting the best deterrent armor.

2.     Facilitates Cybersecurity ecosystem -Vibrant Cybersecurity ecosystem:

The strategy encourages and supports businesses and security professionals to capture and benefit from the growing ICT market opportunity, by paving the way for market leadership, support in financing, facilitating Cybersecurity culture, and an opportunity to support education and skills development. Motivational award and incentives program has been set to encourage professionals and students in Cybersecurity skills development. These initiatives will similarly focus on Cybersecurity citizen awareness and coverage for children and teens, college students, senior citizens, and people with determination.

3.     Enables fast and effective IR -National Cyber Incident Response plan

To effectively identify and minimize damages of Cyberattacks, the UAE NCSS would support set up a comprehensive Incident response plan with the purpose of limiting the damage. An example would be actions taken on incident response preparation, identification, planning for containment, isolation and eradication, BCP recovery, and restoration. Initiatives have been introduced as Single point of contact, Active monitoring of Cyberthreats, intelligence information sharing building world-class capabilities incident response tactics, and teams.

4.     Supports Critical assets -CIIP program Critical Information Infrastructure Policy

The NCSS; Strengths the capabilities of critical assets in the 9 sectors (Energy, ICT, Government, Electricity and water, Finance and insurance, Emergency services, Health services, Transportation, Food and agriculture, by establishing world-class risk management standards, and implementation of reporting processing and response.

5.     Facilitating national and International collaboration - Partnerships

 The government is leveraging partnerships with different entities to mobilize the whole Cybersecurity ecosystem to face the Cybersecurity challenges focusing on effective public and private sectors and national and international relationships. Partnership and collaboration with universities and educational institutions, researchers, and faculty, which is an important source of solutions against Cyber threats, and thus feeds the ITC Cybersecurity ecosystem described in the strategy -NCSS.

Self-Check! - Governance:

The NCSS provides its touch on every organization in the UAE, as you might have noticed from its summary. The strategy must be monitored by governance vehicles that are consist of nine committees (nine committees derived from the 9 Critical sectors). The National Incident Response Committee and the Cyber Intelligence Unit are two additional governance stakeholders.

Data from the TRA initiative team, aeCERT, stakeholders, Law enforcement agencies, and global data reports on threat intelligence will be compared against 20 KPIs (established by TRA) to monitor and steer the progress and impact of implementing the NCSS.

Expected benefits:

In addition to compliance with UAE regulations, realizing the protection of Information assets, Implementing and enforcing the updated strategy- NCSS, would outcome a realistic, reasonable, and correct forecast of IT Security and Cybersecurity role delineation and will clarify its purpose in an organization. This Strategy along with the supporting policies and standards would correspondingly help running smooth and resilient IT operations through professional threat management. One additional important benefit that this strategy would have immense value to ensure a clear understanding of the organization’s management for the relation of ICT security and the continuity of business. The adoption of the NCSS strategy would gradually support building up a highly qualified army of security professionals that would add strength to the vulnerable defense fronts.

References :

UAE National Cybersecurity Strategy

UAE NCSS download ( to download PDF )

---------------------------------------------------------------------------------------------------------------

The UAE Information Assurance Regulation –IA, V1.1 Mar. 2020:

---------------------------------------------------------------------------------------------------------------

The updated Information Assurance regulation -IAS is not only a standard that promotes security, and it is not only a standard that will help an organization to evade a threat actor from penetrating a server for instance. Information Systems Assurance is a holistic approach (that high perspective) that governs ITC business continuity (survival) and ensures healthy development of “Secure and resilient National ITC infrastructure”. Assurance describes the requirements to realize protection for the whole “information assets and the supporting systems” in UAE entities -organizations. IA is not a static list of points to be followed; instead, it is a continuous improvement process that will ensure the improvement of capabilities against changing the surface of cyberspace.

You may note that Information Assurance is a very broad term and is a practice that is well established in the ITC industry. Information Systems Assurance possesses brings huge conceptual theory. This write-up addresses the protection of information assets under the “Information Assurance practice”, taking into consideration the differences, overlap, and synergies between Information Assurance, IT Security, and Cybersecurity.

IAS regulation is also pursued as a “How-to Guide” for securing and protecting UAE Information systems. This is the “standard” that external security consultants and your internal mature and capable IT/IS team will work on to enable your organization readiness and conformance. It is –as well, the reference that TRA will evaluate the organization’s compliance against criteria associated with each of its security controls.

A.   Sources and alignment to international standards:

There is numerous count of global and national IT/IS governance frameworks, policies, standards, best practices, guidelines, and or regulations that are created around the fundamental security triad Confidentiality, Integrity, Availability -C.I.A and includes authentication, and non-repudiation of information. The IAS is derived and based on world-renowned, well-accepted, and trusted international security standards. As with all other standards, The IAS is aligned and related to other international standards. 

Note: For professionals with knowledge of implementation of the international standard ISO 27001 ISMS, the UAE IAS can be looked at as a combination of both ISO 2001 and ISO 27002 and related family standards.

The IAS regulation is knitted around the following standards and frameworks:

* UAE National standards :

• National Information Assurance Framework (NIAF).
• Abu Dhabi Systems & Information Centre, Information Security Standards V1 & 2 / Information Security Policy -ADSIC.
• Dubai Government Information Security Resolution –ISR.
• Critical Information Infrastructure Protection Policy – CIIP.
• National Cyber Risk Management Framework –NCRMF.
• National Cyber Information Sharing Policy

* International security standards/Frameworks :

• PCI-DSS.
• International standards family ISO 27k (besides elements derived from ISO 27005, ISO 27010, ISO 27032)
• Security and Privacy Controls for Federal Information Systems & Organizations -NIST 800-53 R4
• SANS 20 V4.1

As mentioned up, The IA is a main building block of the UAE NCSS.

B.   An opportunity to collaborate:

It is worth to mention that the implementation the UAE IAS standards and framework will open channels of communication and cooperation between the implementing entities (different organizations) and will enhance shared operational responsibilities with the sector regulators, and the critical entities, which in turn will allow these entities to participate in the development of sector standards.

C.    Summary of Key Points of the IAS:

1.     Workflow Setup – communication protocol:

A pyramid of hierarchy workflow (context) is identified on 3 levels as a National, Sector Regulators, and Entry-level entity that facilitates interaction and communication to ensure an integrated relationship among the stakeholders. It is crucial that the reporting structure and the flow-of-information shadow this communications management model, on a) timely, b) continuous and c) in a progressive manner to ensure the realization of success of the IAS implementation. Communications are on both ways (up and down).

The flow of communications and reporting structure

TRA is designated on a National top-level, Sector Regulators are on the middle level, and at the base are the various entities and organizations.

D.   Risk-Based assessment approach:

Successful adoption and implementation start with identifying critical risks and vulnerabilities that threaten the organization’s well-being and exposes its services Confidentiality, Integrity, and Availability. A risk-Based approach is one of the techniques that enable the identification process to be quickly and pragmatically completed by focusing on the most critical risks and its biggest impact and on most potential vulnerabilities – that can cause the largest damage.

Risk-based assessment steps are pretty standard Risk Management process, of course with prioritizing and customizing these steps to focus on the risks with levels impact of “most, biggest, largest, material, substantial”, and eventually will lead to identifying security Risk Controls, which is the generic definition for actions that basically “manages and contains” risks in a broad context.

As per as the IAS risk activities are: 1) Establishing the Environment, 2) Risk Identification, 3) Risk Estimation, 4) Risk Evaluation, 5) Risk treatment, 6) Risk Acceptance, 7) Risk Monitoring and review, Risk Communication, and Consultation, where we obtain a risk profile and reach to a conclusion of how we are going to manage the impact of treating the identified risks and vulnerabilities and its consequences.

Another valuable advantage of a Risk-Based approach will help to prioritize implementation of these controls; hence, this approach will be the basis for progressive and incremental implementation based on proposed priorities and the priorities set during the Risk-based assessment.

How to read controls:

TRA has provided an interesting categorizing and prioritizing security risk controls, however, it is easy to follow. They provided the controls in attractively colored and titled tables. The tables have a description of the controls and their sub-controls, and it’s ( the controls ) grouped into Families. Finally, you will find that each control is assigned with a priority indicator “P1, P2, P3 or P4”, colored in a dashboard style. and an applicability tag “ Always applicable or not “ 

Let’s have a look at how all this transforms into clear information:

------------------------------------------------------------------------------------------------------

Families of controls have Sub-Family members, then a description paragraph of each individual control that belongs to that sub-family.

-------------------------------------------------------------------------------------------------------

A.   Each Family tables have the following topics:

Control Family Name; Control Family Number; Objective; Performance Indicator.

The following are the 15 Control Families –

Management controls families contain 60 controls:

M1: Strategy and Planning, M2: Information Security Risk Management, M3: Awareness and Training, M4: Human Resources Security, M5: Compliance, M6: Performance Evaluation and Improvement.

Technical Control Families, contains 128 controls: :

T1: Asset Management, T2: Physical and Environmental Security, T3: Operations Management, T4: Communications, T5: Access Control, T6: Third-Party Security,

T7: Information Systems Acquisition, Development, and Maintenance, T8: Information Security Incident Management, T9: Information Security Continuity Management

B.    “Sub-Family control” tables have the following points:

Sub-family Control Name; Sub-family Control Number; Objective; Performance Indicator; Automation Guidance; Relevant Threats and Vulnerabilities.

C.    individual “Controls” tables have a detailed description of the control and implementation guidance and it is assigned a priority level indicator marked in 4 colors as follows “

This grouping indicator helps to distinguish and lay down a proposed sequence of implementation scenarios.  

Furthermore, the control table specifies the Applicability mandate, if the control is “Always applicable” or the applicability should be applied “Based on” result of the R.A.

Controls listing starts from section 5.3 on page 32 of the UAE IAS and continues to page 209.

---------------------------------------------------------------------------------------------------------------

Note on Appendices,

Always Applicable controls Appendix A:

There are 35 critical controls that are identified as “Always applicable “controls. These controls belong to Management controls families. Always Applicable must be implemented first at the kick-off of conformance activities, as discussed above, and are not based on the result of Risk Assessment. Not complying with any one of the 35 controls would trigger Non-Conformance to the IAS regulation.

Summary of the Prioritized Controls -Appendix B:

Classifications have been added to extend the value of this regulation, a summary of priority controls is listed in Appendix B. Implementing these P1 controls ensures that major count of cyber threats will be avoided, which kicks-in the “Cyber defense mode” quickly, achieving relief and some sort of confidence.

It should be understood that the remaining controls (P2= 69, P3=35, P4=45) are still required to be applied, but in later phases, and can be demoted or promoted based on risk assessment, while exclusions are possible when justified properly.

The reader will also find a reference to other standards like IS0 27002, NIST 800-53, and ADSIC ISS v 1,2. in Appendix C.

Reference:

UAE Information Assurance Regulation, March 2020, Version 1.1

Additional useful links :

The Computer Emergency Response Team (aeCERT)

Standard Information Security Policy - aeCERT-TRA

Standard Information Security Policy - aeCERT-TRA

Standard Information Security Policy - aeCERT-TRA

Reference to UAE Cyber Crime laws :

Abu Dhabi Digital Authority

DUBAI CYBERSECURITY STRATEGY Version 2.0 / Dubai Electronic Security Center, download .pdf from the following page:

COBIT, Effective IT Governance at Your Fingertips

Continue to read: An overview of ISO 27001, in the next article:

Managing Cyber Threat: UAE Cybersecurity Strategy, Information Assurance Regulation and ISO 27001, part 2/2

Saleh Omeir / www.dhirubhai.net/in/saleho