UAE’s Information Assurance Regulation – How to Achieve Compliance

For years, the United Arab Emirates (UAE) has committed itself to adopting information technology (IT) and electronic communication. The UAE’s Telecommunications Regulatory Authority (TRA) noted that this policy has made the state’s government agencies and organizations more efficient as well as has improved the ability for individuals to collaborate around the world. As such, the TRA recognizes the importance of further developing these technologies and their supporting infrastructure going into the future. But the TRA is well aware of how these technologies increase the UAE’s digital risk. Indeed, the country has suffered its fair share of digital attacks in recent years. In a survey of 150 CSOs/CISOs from different industries in the UAE, Proofpoint found that 82 percent of organizations had experienced at least one digital attack in 2019. Just over half (51%) suffered multiple incidents such as account compromise, credential phishing and insider threats, reported Gulf Business. These incidents produced financial loss (29%), data breaches (28%) and a decreased customer base (23%) at surveyed organizations. Acknowledging these threats, the TRA concluded that it needed to help government agencies and other entities within the UAE support their systems and protect their information assets. The regulatory authority responded by devising an Information Assurance (IA) Regulation to provide in-scope entities with minimum baseline requirements for safeguarding the UAE’s critical information infrastructure. Implementing entities must therefore achieve and continue to demonstrate compliance with the IA Regulation. How can they best go about to do this? To answer that question, this blog post will provide some basic information about what’s covered in the UAE IA Regulation. It will then explain how Tripwire Enterprise can assist organizations in achieving compliance with the Regulation.

The Regulation’s Information Assurance Lifecycle

The UAE Information Assurance Regulation insists that in-scope organizations take a lifecycle approach to information assurance. This approach consists of five parts:

1. Understand the security requirements of the organization and/or its industry along with the need to develop a corresponding policy with clearly defined security objectives.
2. Take a wholistic approach to risk by conducting risk assessments, identifying risk mitigation measures and implementing the necessary security controls to manage risk.
3. Implement security controls to manage security risks that fit within the context of the organization’s and/or sector’s business risks.
4. Monitor the effectiveness of the information security controls and processes implemented by the organization and/or sector.
5. Use objective measurements to make changes to its information assurance strategy, where necessary.

Through these five steps, organizations can build a loop through which they can continually adjust their IA efforts in light of emerging threats and evolving technologies.

Inside the Risk-Based Approach

As noted in the above summary, Step Two is particularly important to the Information Assurance Regulation’s lifecycle. This phase enables in-scope organizations to review their systems for software vulnerabilities and other risks. From there, they can work to implement appropriate mitigation or remediation security measures. The TRA noted that organizations should refer to the National Cyber Risk Management Framework (NCRMF) in implementing a risk assessment. To maximize their efforts, organizations should break down their assessments into eight discrete steps:

1. Decide on the objectives, strategies, scope and parameters of the risk assessment, including which segments of the infrastructure should be assessed.
2. Build a set of risks based upon the organization’s information security requirements. That list should include the sources of risks, where those risks lay, how those risks could manifest and what the consequences of those events could be.
3. Estimate to what extent the risks could undermine confidentiality, integrity and/or availability of the organization’s assets. Additionally, evaluate the likelihood of those potential consequences occurring.
4. Compare these estimated risks with the risk criteria established by the organization earlier in the process in order to establish which risks exist outside of acceptable parameters.
5. Address the risks by using security controls to reduce the risk, accept the risk based upon the organization’s criteria, avoid actions that produce the risk or transfer the risk to another party.
6. Accept residual risk by the management of the entity.
7. Monitor and review the results of the risk assessment in order to ensure the ongoing relevance of the risk management and treatment process.
8. Communicate and consult with stakeholders across each stage of the risk management process so that they understand the process and the required actions that need to be taken.

Once organizations have put that plan in place, they can then turn their attention to implementing security controls for the purpose of managing risk. They will need to implement two types of controls: those that are applicable for complying with the UAE Information Assurance Regulation and those that reflect the results of the risk assessment. Each control consists of several sub-controls along with performance indicators that provide insight into their implementation.

Using Tripwire Enterprise to Comply with the IA Regulation

Tripwire Enterprise can assist organizations in complying with the UAE IA Regulation. In particular, it can help in-scope entities address seven key security controls and processes. These are as follows:

• Asset management: Assists in the auditing and management of IT assets and establishes a baseline for those assets connecting to the network.
• Physical and environmental security: Prevents loss, damage, theft or compromise of the entity’s assets and/or any interruption to the entity’s functionality.
• Operations management: Ensures the entity maintains effective operational control of the security functions pertaining to its information systems and its data.
• Communications: Protects all information that’s exchanged within and between entities.
• Access control: Institutes security measures that restrict levels of access for the user, application, network and operating system as well as for mobile computing.
• Information systems acquisition, development and maintenance: Prevents individuals from misusing or modifying information without authorization at all stages of the software development lifecycle.
• Dashboard: Reviews assets’ integrity system logs and security configurations through Tripwire Enterprise’s dashboard.

For more information on how Tripwire can help your organization maintain compliance with the UAE IA Regulation, click here.