UAE IA Standards: Measuring Cyber Security Maturity
The UAE has become an emerging technology hub in a fast-evolving interconnected digital world while cyber-threats at a global scale are becoming far more complex, and increasingly inevitable.
The UAE has significant resources and is continuously raising the bar when it comes to innovation. At the same time, smart technologies, automation and technological advances make the region a particularly attractive target to threat actors. Effective cybersecurity strategies are moving from a standalone defensive approach to mandatory security programs representing the competitive advantage among whole organisations.
The UAE's federal body released the UAE Information Assurance (UAE IA) Standards on 25th June 2014, as part of the Cyber Security Framework, to manage the country's cyberspace.
Since the release of the UAE IA standard, the UAE and the globe, has seen a nearly exponential growth of cybersecurity landscape. The latest Cyber Resilience 2020 Report, published by Digital14, depicts the exponential growth of the cyber landscape while at the same time, offers trustworthy and actionable recommendations for thought-leaders and decision-makers.
Objective and Importance
The UAE IA standards represent one of the most important initiatives towards a nationwide cyber resilient smart-led digital ecosystem. More specifically:
The UAE National Cyber Security Strategy (NCSS) sets the course for the government’s ongoing commitment to protect the national cyberspace.
The UAE National Information Assurance Framework (NIAF) is aligned in supporting the implementation of the NCSS.
The UAE IA Standards is a critical element of the National Information Assurance Framework (NIAF).
The UAE IA Standards outline the requirements that are necessary for elevating the level of IA across all implementing entities in the UAE.
The objective of the UAE IA standards is to help entities across the UAE to follow a common information security practice and ensure utmost security and compliance. This establishes standardisation across the entities implementing this framework. Compliance with this standard is mandatory for all Government entities and any other entities identified as 'Critical', such as an organisation that is identified as part of the Critical National Infrastructure (CNI). The outcome of the UAE IA assessment depicts the overall security posture of e an entity’s Information Security environment. Most importantly the outcome of the assessment is capable of providing a benchmark for measuring Cyber Security Maturity.
Fundamentals of the UAE IA Standards, security assessment and compliance
The UAE IA assessment is a collection of fifteen (15) information security domains which are grouped under management and technical controls (Figure 1).
Figure 1 – The UAE IA Security Controls Summary
More specifically, management controls are composed of six (6) control families, while technical controls are composed of nine (9) control families (Figure 2).
Figure 2 – The UAE IA Security Control families.
The fifteen (15) domains have in total 188 security controls of which sixty 60 controls fall under Management and 128 controls fall under Technical. In addition, each security control has a priority assigned to it which shifts the weight of the outcome allowing to shift the focus and effort towards what matters most. Most importantly, there are thirty-five (35) management controls which are classified as “always applicable”, while the remaining controls are dependent on the outcome of Risk Assessment.
Enabling the Cybersecurity ongoing process
In order to be in a position to measure the Cyber Security maturity, Digital14 has aggregated the UAE IA security controls domains into six (6) key assessment areas to create a meaningful and actionable Cybersecurity Scorecard.
The consolidation ensures a focused and structured approach to risk mitigation while enabling each of the assessed entity to be in a position to:
actively monitor changes
consider ongoing initiatives
identify hidden risks
The assessment across the six (6) key assessment areas is carried out as two main core streams of work. The Security Controls Assessment work stream is performed by the Governance Risk & Compliance (GRC) team, while the Technical Assessment work stream performed by both the Vulnerability Assessment & Penetration Testing (VAPT) team and the Compromise Assessment (CA) team.
UAE IA assessment structure
The assessment uses a phased approach which includes interactive workshops (interviews), documentation review, analysis (observations) and report writing (Figure 3).
Figure 3 – The UAE IA assessment phased approach.
The purpose of the assessment is to validate the current capabilities of the Information Security section, identify gaps, highlight omissions when put against industry best practices, and provide recommendations to improve the information security program’s maturity, while mapped against the UAE IA Standards and framework.
Interactive workshop (interviews): Interview Meetings are the first step of the UAE IA Assessment, where all in-scope teams are assessed against the relevant and applicable controls.
Documentation Review: Evidence collection and review is an important phase which brings into the spotlight the current information security and cybersecurity a) status, b) hygiene, c) maturity and d) potential gaps.
Analysis (observations): Assessment remarks are captured and final analysis on controls’ effectiveness is conducted, while considering a holistic perspective.
Report Writing: Once analysis is completed, the next step is to develop a draft report and conduct a validation meeting for both GRC and CND findings, before producing the final report and the depicted scorecard.
Measuring Cyber maturity:
Figure 4 – The UAE IA assessment Scorecard.
Digital 14 has developed a platform to project the Information Security control effectiveness through a Scorecard. As mentioned earlier on, the UAE IA Controls are aggregated across six (6) key assessment areas that describe the maturity of the controls implemented at the entity. Each control is mapped to one of the six key assessment areas and is weighed based on the criticality of the domain as well as the control priority. Based on the output of the assessment, an overall cybersecurity score is calculated and this score represents the cybersecurity maturity level of the assessed entity.
Comparisons against similar initiatives for compliance:
The UAE IA controls assessment can be considered more comprehensive in comparison to ISO 27001, as there are multiple domains and controls which are not present in ISO 27001, with a particular focus on how effective is each security control implemented. In addition, following best practices from NIST SP 800-53, ISO 20000, COBIT and even PCI DSS and Cyber Essentials are in many cases pre-dominantly more inclined towards “ticking the box” across different IT security initiatives, rather than a holistic approach on how to measure and improve Cyber Security across all verticals of an organisation.
Even though in principle a mapping between the controls of the UAE IA Standards, the ISO 27001 and NIS SP 800-53 is possible and does exist, there is a significant difference between the way an audit is conducted versus how the UAE IA assessment is executed. The figure below (Figure 5) simply summarises the number of controls that exist among the different compliance initiatives one can choose to work on.
Figure 5 – Security Controls across different compliance initiatives
Implementing the UAE IA standards across UAE entities not only ensures the effective compliance with the UAE National Information Assurance Framework (NIAF), as part of the UAE National Cyber Security Strategy (NCSS) but also provides compliance with essential regulatory bodies. Hands-on experience with UAE IA Standards security assessments has made it apparent that ISO 27001 is more of process-oriented standard. In contrast, COBIT and NIST are more technical, while at the same time can be considered as sub-sets of the UAE IA Standards.
As an overall comparison, the UAE IA Standards, provide the perfect balance of both management (process) and technical controls. Hence, more and more organisations are currently opting for UAE IA Standards compliance, as it allows them to comply with other standards as well, such as ISO 27001 (including the implementation of the ISO 27002 security controls).
The UAE IA assessment, in comparison to the implementation of other industry standards, provides a benchmark when capturing and measuring an entity’s Cyber Security Maturity. Such an approach allows actionable decisions to be made while taking under consideration applicability, priority and status. Consequently, the well-thought structure and depth across both the Management and the Technical controls act as the enabler for continuous improvement towards a well-defined Cyber Resiliency, which can be reflected at a national level if/when needed.