The Regulation’s Information Assurance LifecycleThe UAE Information Assurance Regulation insists that in-scope organizations take a lifecycle approach to information assurance. This approach consists of five parts:
- Understand the security requirements of the organization and/or its industry along with the need to develop a corresponding policy with clearly defined security objectives.
- Take a wholistic approach to risk by conducting risk assessments, identifying risk mitigation measures and implementing the necessary security controls to manage risk.
- Implement security controls to manage security risks that fit within the context of the organization’s and/or sector’s business risks.
- Monitor the effectiveness of the information security controls and processes implemented by the organization and/or sector.
- Use objective measurements to make changes to its information assurance strategy, where necessary.
Inside the Risk-Based ApproachAs noted in the above summary, Step Two is particularly important to the Information Assurance Regulation’s lifecycle. This phase enables in-scope organizations to review their systems for software vulnerabilities and other risks. From there, they can work to implement appropriate mitigation or remediation security measures. The TRA noted that organizations should refer to the National Cyber Risk Management Framework (NCRMF) in implementing a risk assessment. To maximize their efforts, organizations should break down their assessments into eight discrete steps:
- Decide on the objectives, strategies, scope and parameters of the risk assessment, including which segments of the infrastructure should be assessed.
- Build a set of risks based upon the organization’s information security requirements. That list should include the sources of risks, where those risks lay, how those risks could manifest and what the consequences of those events could be.
- Estimate to what extent the risks could undermine confidentiality, integrity and/or availability of the organization’s assets. Additionally, evaluate the likelihood of those potential consequences occurring.
- Compare these estimated risks with the risk criteria established by the organization earlier in the process in order to establish which risks exist outside of acceptable parameters.
- Address the risks by using security controls to reduce the risk, accept the risk based upon the organization’s criteria, avoid actions that produce the risk or transfer the risk to another party.
- Accept residual risk by the management of the entity.
- Monitor and review the results of the risk assessment in order to ensure the ongoing relevance of the risk management and treatment process.
- Communicate and consult with stakeholders across each stage of the risk management process so that they understand the process and the required actions that need to be taken.
Using Tripwire Enterprise to Comply with the IA RegulationTripwire Enterprise can assist organizations in complying with the UAE IA Regulation. In particular, it can help in-scope entities address seven key security controls and processes. These are as follows:
- Asset management: Assists in the auditing and management of IT assets and establishes a baseline for those assets connecting to the network.
- Physical and environmental security: Prevents loss, damage, theft or compromise of the entity’s assets and/or any interruption to the entity’s functionality.
- Operations management: Ensures the entity maintains effective operational control of the security functions pertaining to its information systems and its data.
- Communications: Protects all information that’s exchanged within and between entities.
- Access control: Institutes security measures that restrict levels of access for the user, application, network and operating system as well as for mobile computing.
- Information systems acquisition, development and maintenance: Prevents individuals from misusing or modifying information without authorization at all stages of the software development lifecycle.
- Dashboard: Reviews assets’ integrity system logs and security configurations through Tripwire Enterprise’s dashboard.