Professional Documents
Culture Documents
NIAP C-L Guidelines en v1.0
NIAP C-L Guidelines en v1.0
NIAP C-L Guidelines en v1.0
Policy Clauses
Classification Levels
1. High
2. Medium • This policy is applicable to all organizations and
3. Low sectors in the State of Qatar, that are governed by
the supervisory authority granted to National Cyber
Security Agency (NCSA) in Amiri Decree No.1 for
Classification Labels 2021 and in coordination with sector regulator in
which the organization reports to.
1. Public
2. Internal
3. Restricted
4. Secret • Organizations impacted by this policy will be
5. Top Secret provided a window of six (6) months effective the
date of publication, to demonstrate their roadmap
Government entities shall use the five to comply with this policy.
classification labels.
Espionage • • Ransomware attacks
Data Breaches • • Malware Infections
Data Theft • • Cyber Crimes
Data Loss (Misplaced or forgotten laptops, • • Insider Threat
media sticks etc)
2. Data Classification
3.Data Protection
5.Data Decommissioning
4.Data Reassessment
A0 A1 A2 A3
I0 L M H
I1 L L M H
I2 M M M H
I3 H H H H • Attached is the classification model from National
I0 L L M H Data Classification Policy v3.0
I1 L L M H
• The Classification is based on the Confidentiality,
I2 M M M H Integrity and Availability attributes of the data.
I3 H H H H
I0 M M M H • Data is classified as Low, Medium, or High based on
I1 M M M H
the overall classification and is treated accordingly
during its life cycle.
I2 M M M H
I3 H H H H • The Data Classification Label is however based on the
I0 H H H H Confidentiality attribute of the data.
I1 H H H H
I2 H H H H
I3 H H H H
Data Classification Labels
C0 C1 C2 C3 C4
Data that may be freely disclosed Data for Internal Use. Sensitive Data if Highly sensitive corporate or Highly sensitive National
to the public.
compromised could customer data, that if Secrets and Sensitive
negatively affect operations compromised could put the information
organization at financial or
legal or reputation risk.
Public Website Intranet Salaries, Budgets Board Level discussions State Secrets
Published Annual Reports Internal Operating Plans Corporate Secrets Sensitive Personal Data
Published Price Lists Corporate Policies and Internal Pricing and Cost Sealed Bids Sent
Brochures/Advertising Procedures Information Strategic Plans such as
Material Staff Training Material Customer Data Mergers and
Service Application Forms Internal memos Sealed Bids Acquisitions
Published Public Section/Department Audit Reports Incident related
Policy/Laws Reports Product information information.
Approved Vendor List Financial Reports (until
published)
Management Business
Support Consensus
Technology Policy
Framework
Training
& Awareness
Data Lifecycle People Process Technology
Data Consumer
Data Classification
Data Owner
Specialist
Key Changes in NIAS V2.1
In line with the future roadmap, we have updated Section 4: Information Security Governance: Control on reporting of
the existing National Information Assurance Security Manager is updated
Manual V2.0 as the National Information
Section 4: Data Classification Label: Classification Labels have been
Assurance Standard V2.1 changed
Wording within the document has been updated Section 4: Incident Management: Controls updated in the domain
and the associated Appendix related to “Incident Management
to reflect this change. Criticality Classification” has been removed.
The standard clears ambiguity on the scope and Section 5: Cryptography: Controls have been updated and the
associated Appendix related to “Approved Cryptographic Algorithms
enforcement. and Protocols” has been removed
The enforcement is further discussed in detail in Section 6: Compliance & Enforcement: New section to clarify
enforcement of this document
the next few slides.
Appendix C: List of Competent Departments added to the document
The policy lays the foundation for implementing an Information Security Management
System within and organization and will be complemented by the National Information
Standard V2.1 which identifies the relevant security controls that organizations need to
implement based on the security rating of the data.
The policy will be effective upon publication on National Cyber Security Agency’s official
communication channels.
Organizations impacted by this policy will be provided a window of six (6) months effective
the date of publication, to demonstrate their roadmap to comply with this policy.
The policy mandates that organizations within the scope of this policy, classify their data
based on the data classification scheme.
Any other deviations to this policy shall be communicated to the National Cyber Security
Agency by the organization, through an official correspondence explaining the justifications
and rational, along with a risk management plan identifying the risks, assessment of the
risk, mitigating controls, and communication and acceptance of the risk by senior
management. Based on this, the NCSA will provide an assessment of the exception request
in coordination with sector regulator (where applicable).
Unchanged Approach for
organizational Compliance
Unchanged Data
Classification Model
Cyber Assurance Department decided to continue accepting applications for Certificate of Compliance against NIAP V2.0 until December 31, 2023. Previously issued certificates and/or
certificates issued during this period against NIAP V2.0 will continue to be valid for their defined period of validity mentioned in the certificate. Certified entities against NIAP V2.0 could
only request Re-Certification against National Information Assurance (NIA) Standard V2.1.
Based on the facts stated above, the Cyber Assurance Department encourages and currently accept applications for its newly offered Certification against National Information Assurance
(NIA) Standard V2.1.
Thank You
For any queries related to the policy, please send an email to
cssp@ncsa.gov.qa
1 2 3 4
Establishing policies for Coordination with sector Conduct research and Issue guidance
controllers regulators development
5 6 7 8
Data breach notifications Complaints from Personal data of special Violations and
individuals nature enforcement
Review processing of
Receive and review data Receive and review personal data of special
Investigate violations and
breach notifications from complaints from nature by organisations
recommend enforcement
organisations, and conduct individuals, and conduct and approve based on
to appropriate legal
investigations to determine investigations to determine assessment of the
authorities for PDPPL
violations of data privacy violations of data privacy adequate precautions
breaches.
regulations. regulations. implemented by the
controller.
25
Responsibilities of the Data Privacy Office - determined by the PDPPL and NDPO Responsibilities:
9 10
11) (Potential) Certify 12) (Potential) Accredit
International privacy Boost safety on the internet
organisations in scope service providers
communities
Accredit professional
service providers that have
Certify organisations in
Be an active member of Work with family the ability to review an
scope of the PDPPL that
international privacy organisations and societies organisation’s data privacy
demonstrate reasonable
communities e.g. GPEN to boost child safety on the framework and provide
precautions around
and GPA. internet. assurance to the CDP for
processing personal data.
the issue of certification as
above.
26
Personal data: Data of an individual whose identity is
defined or can be reasonably defined whether though
such personal data or through the combination of such
data with any other data. e.g. name, date of birth, phone
number, video, email address, IP address, behavioral
data, pseudonymized data.
PDPPL applies.
Personal data: Data of an individual whose identity is
defined or can be reasonably defined whether though
such personal data or through the combination of such
data with any other data. e.g. name, date of birth, phone
number, video, email address, IP address, behavioral
data, pseudonymized data.
PDPPL applies.
Examples:
Collecting viewing, transferring,
gathering, modifying, withholding,
receiving, retrieving, destroying,
registering, using, anonymizing,
organizing, disclosing, and combining.
storing, publishing,
Sub-
Processor
Sub-
Processor Processor
Sub-
Processor
Sub-
Processor
Controller Processor
Sub-
Processor
Processor
Sub-
Processor
Sub-
Processor
Sub-
Processor Processor
Sub-
Processor
Sub-
Processor
Controller Processor
Sub-
Processor
Sub-
Processor Processor
Sub-
Processor
Sub-
Processor
Controller Processor
Sub-
Processor
Sub-
Processor Processor
Sub-
Processor
Sub-
Processor
Controller Processor
Sub-
Processor
of the individual to the processing of processing is needed in order to enter for which the organisation is obliged to of the organisation or the third parties
personal data. into a contract. process data for. engaged.
How to Notify?
Controllers should notify the National Data Privacy Office using the Breach
Implement Appropriate Safeguards
Notification Form.
NDPO
likelihood and impact of breaches.
What to Notify?
• detail the nature of the personal data breach,
• include the name and contact details of the company’s primary responsible
Detect breaches person for privacy related matters
• describe the consequences likely to occur due to the personal data breach; and
Controllers should be able to detect a breach if it occurs and immediately assess • describe the action(s) that the controller has taken or proposes to take to
the potential for serious damage to individuals. address the personal data breach, including, where appropriate, actions to
mitigate the possible adverse effects of the personal data breach.
Individuals
data breach could cause damage to individuals’ personal data or privacy. Notification of affected individuals is particularly important when the breach could
cause serious damage to the affected individuals’ privacy or personal data.
What to Notify?
Notify personal data breaches to the affected individuals • the name and contact details of the primary responsible person for privacy
related matters
Controllers should notify the individuals of the personal data breach without delay • a description of the consequences likely to occur due to the personal data
and within 72 hours of becoming aware of it if the personal data breach could breach; and
cause serious damage to their personal data or privacy. • a description of the action(s) that the controller has taken or proposes to take
to address the personal data breach, including, where appropriate, actions to
mitigate the possible adverse effects of the personal data breach.
One of the aims of data privacy laws is to empower individuals and give them control over their personal data. Therefore, the PDPPL introduces what are
usually referred to as ‘Individual’s right’s concerning the protection of individual’s personal data. It’s important to note that not all of these rights are
‘absolute’, meaning some only apply in specific circumstances:
The right to protection and lawful processing The right to request correction
Individuals have the right to have their personal data protected and lawfully Individuals have the right to request that you correct the personal data you
processed. hold about them.
Equifax's response was criticized for delays in disclosure and inadequate cu Action to do
stomer support.
• Plan effective automated procedure
The breach resulted in over$700 million in settlements, fines, and legal fee to patch critical servers and
s, as well as a loss of consumer trust and reputational damage. systems.
• Plan effective incident response and
Equifax invested in enhancing its cybersecurity infrastructure and faced incr
eased regulatory scrutiny.
handling procedure, perform a pilot
The breach serves as a reminder of the importance of proactive security m for it.
easures and effective incident response to protect customer data and main
tain trust in a company's brand.
Lesson Learned
The incident showed the need for
continuous monitoring of third-party
The Target data breach was a result of a sophisticated cyberattack that
vendors, as well as the importance of
exploited vulnerabilities in third-party vendor access and point-of-sale securing POS systems against potential
systems. attacks.
Over 40 million payment cards and the personal information of up to 70
million customers were exposed.
The attackers initially gained access to Target’s network through a third-
party HVAC vendor, who had been granted remote access to the company’s
systems for maintenance purposes.
Action to do
Once inside, the attackers moved laterally through the network, eventually • Assume any of your third-party
reaching Target’s point-of-sale (POS) systems. vendor compromised, write a plan
The hackers installed custom-made malware on the POS systems, which for continuous monitoring and
allowed them to capture customer payment card data as it was being detection for third party vendors
processed. activity in your network.
The overall cost of the data breach is estimated to have been over $202 • Gather all your PoS systems, write
million, factoring in settlements, fines, loss of revenue, and reputational
damages.
detections for non-normal
activities.
The 2014 Home Depot data breach was one of the largest and most
costly cybersecurity incidents at the time, impacting over 56 Lesson Learned
million payment cards and exposing customers' email addresses. companies must prioritize cybersecurity
This breach resulted in massive financial losses for the company, with costs and invest in comprehensive security
totaling around $179 million. strategies that include employee
training, regular security audits, and
The attackers gained access to Home Depot’s network by compromising advanced threat data breach
a third-party vendor’s login credentials, which then allowed them to
monitoring.
navigate the retailer’s systems and deploy the malware on self-
checkout terminals.
While the company does not believe all accounts were compromised, they
are investigating the matter further. The incident highlights the
vulnerability of customer data even if threat actor do not penetrate deep
into a network.
A researcher who examined the leaked database found that much of the
information was real, including that of his wife and her family members.
Lessons Learned:
On 27 June 2017, Maersk has been hit as part of a global cyber attack
named notPetya. IT systems are down across multiple sites and select Lesson Learned
business units. • Systems not upgraded nor patched to protect from
NotPetya virus/malware
The malware Arrives as infected e-mail attachments and Designed to
spread automatically, rapidly, and indiscriminately with known 1-day • All data, backups and systems accessible on the
vulnerability called EternalBlue.
Internet (except Ghana Active Directory server)
The attacker took the advantage of not patching recent vulnerability,
NotPetya spreaded across whole company IT network was within 7 • No contingency planning (Business Continuity
minutes Plan / Disaster Recovery Plan)
The malware encrypt large number of devices and systems causing 49,000
laptops destroyed, 1,200 apps instantly inaccessible and 1,000 destroyed,
incl. the company’s central booking website Maerskline.com.
10 days to rebuild 4,000 servers and 45,000 PCs, and restore 2,500
applications, full IT network restored after four weeks
The CTI Unit asses with high confidence the files include documents related
to contracts between Government entities and Compromised entity regarding
installation of several different instrumentation on Large national projects.
The documents include contracts, checklists, and several plans such as,
pipeline plans and cable plans.
NCSA CTI Unit have acquired an intelligence that third party vendor based
on Qatar have been listed on the victim list by the ransomware group called
“8Base”.
The 8Base group have publicly published the stolen data from third party
company. The content of the stolen data includes network topology, CCTV
and surveillance specifications, and other files related to several Qatari
entities.
Additionally, several other sensitive entities files have been leaked includes
parking management systems, Automatic Number Plate Recognition (ANPR)
System, and other files related to several Qatari entities.
NCSA CTI Unit has acquired an intelligence that the database of Offers and
booking application that been widely used in Qatar has been leaked. It was
leaked on a hacker forum used for sharing leaked databases. The database
contains about 280,000 records which contains Personally Identifiable
Information (PII) such as Full Name, Mobile Number, Email Address, etc.
Based on Qatar Law No.13 of 2016 – Personal Data and Privacy Protection,
we emphasize the organization to verify the personal data leakage and
report the incident to National data Privacy Office (NDPO)
F/W
Lateral Movement Proxy NSM TI
& Privilege Successful C2
Escalation Communication
(Own Entity)
Code Execution
(Malware)
Every Hacker Action DLP Solution
Didn’t work?
No problem. Re-analyze
Static and Dynamic
attack Surface and find Vulnerability RE of Attack
another bypass. Analysis Surface for Bug
Classes
Exploit Discovered
Exploitation Vulnerabilities
Weak and Poor Asset/patch Lack of Leaks Ineffective security
Compromised User management monitoring strategy and Policy
Credentials
We have seen from real incidents, a large finical lost due to simple mistakes such as delay
update.
Cyber security is not just vulnerabilities, Its people, technology, and processes.
Therefore, we should adopt a holistic approach by considering people, technology, and
processes, assessing identities, credentials, solutions, policies, and overall cyber hygiene to
ensure continuous improvement and phasing out ineffective practices and solutions.
In conclusion, safeguarding your entity’s sensitive data should be a top priority in today’s
digital age.
Q&A
Thank You
أمن وحماية خصوصية البيانات
Data Security and Privacy Protection
استطالع التقني
Feedback Survey