A Guide to NESA IAS Compliance
The National Electronic Security Authority (NESA) was established in 2012 in the United Arab Emirates (UAE) as the first federal authority responsible for innovating cybersecurity in the country. As part of its mandate, NESA produced the UAE Information Assurance Standards (IAS), a set of standards and guidelines for entities that support critical national services across all sectors.
These standards aim to protect the UAE’s critical data infrastructure and advance national cybersecurity. To be compliant, organizations must protect information assets, mitigate identified information security risks, implement effective controls and establish a secure culture by raising awareness of security-related issues.
Compliance with them is mandatory for all government organizations, semi-government organizations and critical infrastructure business organizations.
The Structure of the IAS
The IAS are heavily inspired by existing international standards, most notably ISO 27001 and NIST, from which they adopted a number of controls. The IAS consist of 188 security controls and standards split into four priority tiers, P1 having the highest priority and P4 the lowest. Each control has additional sub-controls, document requirements and performance indicators.
The list of security controls is based on 24 threats NESA identified through industry reports and prioritized taking into consideration the percentage of breaches they were responsible for. In this way, the 39 controls that make up the highest priority tier, P1, address 80% of the security threats NESA identified.
In total the IAS have 136 mandatory sub-controls (that fall under 35 of the 188 controls) and 564 sub-controls whose application depends on risk assessment results. The risk assessment requirements are similar to those stipulated in the ISO 27001. Organizations need to establish a risk methodology and criteria that they can then use to identify risks, threats, vulnerabilities and calculate their potential impact to determine their risk level. Based on results, they can then decide whether the organization needs to apply the IAS sub-controls. These risks must then be monitored and reviewed regularly.
The controls can also be divided into two families: 60 management controls and 128 technical controls. The management controls refer to strategy and planning, information security risk management, human resources security, compliance efforts, awareness and training, performance evaluation and improvement.
The technical controls meanwhile address asset management, physical and environmental security, operations management, communications, access control, third party security, information systems acquisition, development and maintenance, information security incident management and information security continuity management.
It is worth noting that of the 188 security controls, the mandatory 35, which NESA considers to be essential for a strong information security foundation, are all part of the management controls families. None of the technical controls are mandatory, their application depends solely on risk assessment results.
Enforcement and penalties
NESA’s enforcement of the IAS takes a 4-tier approach based on the level of risk an organisation poses to the UAE’s critical data information infrastructure:
- Reporting: self-assessment by organizations in line with mandatory and voluntary IAS requirements;
- Auditing: NESA can request specific evidence from organizations to support their self-assessment reports;
- Testing: when appropriate, NESA can commission tests of the information security measures organizations have in place;
- National Security Intervention: in extreme cases, if NESA judges that an organization’s activities are leading to unacceptable national security risks, it can directly intervene.
While NESA does not mention any specific penalties for non-compliance, organizations doing business in the UAE need to be aware that, should their operations be considered critical to the UAE’s data infrastructure, they will inevitably fall under the scrutiny of industry regulators and NESA. Non-compliance brings with it the risk of such scrutiny intensifying and escalating to a direct intervention from NESA.
The NESA IAS are based on internationally recognized standards and form an excellent basis for a sturdy cybersecurity framework that can help companies, even does that do not fall under their incidence, to avoid data breaches and keep sensitive data secure.