Professional Documents
Culture Documents
National Security Strategy
National Security Strategy
Security Strategy
Structure of National Cyber Security Plan (NCSP)
High
Level Policies Detailed Policies Standards
03
The telecommunication regulatory authority has issued a number of important policies and
standards to identify national trends in the field of cyber security and to unify
efforts in this regard
THE NATIONAL CYBER THE NATIONAL INFORMATION CRITICAL INFORMATION NATIONAL INFORMATION
SECURITY STRATEGY ASSURANCE FRAMEWORK INFRASTRUCTURE ASSURANCE STANDARDS
PROTECTION POLICY
04
Cyber Security Strategy Framework
Lead ersh ip
nal
io
t
Na
3 4
de
ty e and Pre F
Provi
par
ili
os
The National Strategy aims at re v
Natio Capa b
ter
en
P
To establish a path to achieve
Cola boration
1 Secure
nal
the national vision to secure Cyberspace
2
state information and advice.
er
Re
ov
sp
ec
ild
ond
and R
Bu
In order to do so, this national
strategy is designed from five
core areas:
5
05
The national cyber security strategy aims to chart a path to achieve the national vision to secure national information and
communications. In order to do so, this national strategy has been designed from five core areas:
Prepare and Prevent Strengthen the security of UAE cyber assets Elevate the Minimum Ensure Compliance to UAE
and reduce corresponding risk levels Protection Level of Cyber Cyber Security Standards
Assets and Verify Effectiveness
Respond and Recover Manage incidents to reduce impact on Develop and Embed Improve Threat
society and the economy Incident Response Neutralization
Management Capabilities Capabilities
Build National Cultivate cyber security research and Inform and Educate UAE Foster Cyber Security
Capability innovation and develop UAE’s workforce to Public and Workforce Research and Innovation
meet cyber security needs
Foster Collaboration Foster collaboration between national Cultivate a Collaborative Leverage and Contribute
and international stakeholders to catalyze National Cyber Society to International Efforts
cyber security efforts
Provide National Provide national leadership to orchestrate Develop National Cyber Coordinate and Guide
Leadership local and emirates cyber security initiatives Security Strategy and National Cyber Security
at the national level Implementation Initiatives Implementation
06
Principles of Successful NCSS Implementation
The importance of the involvement of all key stakeholders To ensure effective implementation, it is • Follow up the implementation stages
in the integrated planning process to ensure: essential that the various entities and the effectiveness of the results to
• Permanent cooperation and joint activities among all involved at the operational level and ensure appropriate improvements and
stakeholders participate in various cyber security overall success of the program.
• Identify existing challenges and ways to overcome them initiatives and activities. • Ensure effective performance
• Disseminate relevant information to reach the management, support and guidance.
competent authorities in a timely manner
• Reduce gaps and overlap between different initiatives
and activities.
07
The NIAF outlines the entity, sector and national contexts of IA through a lifecycle-based approach supported by a set of UAE
standards, effective information-sharing capability and a comprehensive governance program governed by TRA
08
Through this framework, TRA aims to ensure a minimum level of IA capabilities within all UAE entities and
establish a common approach that allows them to interact with each other and approach IA with a sector
and national perspective.
National Level
NCSA issues and manages the UAE NIAF and
supporting standards, and is responsible for Public Administration
maintaining the national IA context Health
Water & Electricity
Emergency Services
Sector Level ICT
Sector regulator collaborates with NCSA and operators Government Sector
for the implementation of UAE NIAF and sector-specific Financial
standards, and is responsible for maintaining the sector IA context Chemical
Nuclear
Oil & Gas
Entity Level
Within a sector, entities apply the UAE NIAF and are
responsible for maintaining the entity IA context
tion n
tion 1
n
Operator n
Operator 1
rn
Operator 1
n
r1
tor 1
Provider n
Provid er 1
Operator
tor
rato
Operato
n
y1
n
ty n
y1
n
1
Ins tit u
u
ty 1
era
y
Opera
Entity
ity
t
ity
Entit
t
e
ti
Entit
i
Enti
Ent
Op
i
p
Ent
Ent
Ent
O
In
09
The purpose of this policy is to identify and develop the necessary application programs to protect Critical information
infrastructure:
10
The policy also sets out the key stages of applying risk reduction to critical information infrastructures
•
uc
Assessment
eR
11
National standards for information security protection
General standards
12
The Information Assurance is a superset of information security; it covers much broader range of information protec¬tion and
management aspects including business/information continuity, disaster recovery, compliance, certification and accreditation, etc.
3 Defining roles and Applying the standards by a methodology that takes into
responsibilities consideration potential risks
13
Standards development stages
Several leading international standards in information security have been analyzed and studied as a key reference to the
development of The Information Assurance Standards
Outcomes
Leading standards for Analysis results
Information assurance standards Axes of analysis
NIST SP
27001 27002 800-35
UAE Information
Assurance Standard
• Scope of controls 1-100
14
The standards consist of two main sets of security controls (administrative and technical), there are 188 controls distributed over
15 main areas and prioritized according to four priorities.
Priority 4 45
Priority 2 69
Priority 3 35
Priority 1 39
Administrative Strategy and planning
security controls: Information security management
Awareness and training
Human Resources Security
Audit and compliance
Assessment and performance improvement
15
The entities will participate in the implementation of the INFORMATION ASSURANCE STANDARDS and the development of
sector standards in accordance with the Critical information infrastructure protection policy through communication and
cooperation with the relevant critical entities
Summary of roles:
16