NESA is the new standard of information security in the United Arab Emirates. It stands for The National Electronic Security Authority, which is basically a government body that is tasked with protecting the critical information structure of UAE and improving the national cybersecurity. To make this happen and to keep the security tight, NESA has produced a set of standards and guidance for compliance specifically for the government entities.
It is a completely new standard but it has some of its basis and the set of guidance of standards attached with the ISO 27001 and NIST. NESA comes with a complete pack of its own documents, such as the Critical Information Infrastructure Protection Policy (CIIP), and Information Assurance Standards (IAS). These two sets of documentations combined known as NESA and we will be discussing and comparing them in the detail given below.
The Guidance and Presentation of NESA
The presentation of NESA is simple, well-put and gives a great view of the guidance. Two large posters have been included which gives a bird’s eye view look at the breakdown of security controls and the top priority controls. Moreover, the IAS of the NESA gives brief guidance of every control in it and summarizes the main components at a high level.
What does it include?
The UAE IAS promotes the life cycle approach to establish and implement information assurance and continuously improve and maintain it. The life cycle approach ensures the continual improvement of the UAE’s information Assurance capabilities. Let’s take a look at few things that are included in it.
Threat Based Approach
NESA comes with a list of threats that are listed because of the percentage of a breach that is reported by the industries since 2012. For every threat, a control was mapped and they are then tackled and mitigated by the implementation of the high-priority controls. Basically, the threat-based approach is the new and the right approach in the right direction to bridge the gap between the risks of the business and IT.
The scope of NESA is the entire organization and it is not limited to a specific field just like other standards are. This kind of standard and scope is quite pragmatic as a sophisticated attacker does not limit themselves attacking a certain part of the organization. They will attack any part, so a standard that can cover the whole organization is a big deal.
Management of NESA
The management of NESA goes along with the implementation of an information assurance program and the organization may at first struggle with the conceptual shift in viewing high-level activities as a control. This will help the businesses, as the high-level management activities if listed as control makes the auditing a simpler task.
Control Status of NESA
The compliance with NESA controls is binary, either they are compliant and or non-compliant, there is no in-between. This will help in achieving compliance more quickly and in a better way. As the scope is broad and some of the controls also have a high reach and this will help the users to make compliance a priority.
We integrate different standards and GRCs. NESA is mapped and you can use our controls both for ISO 27001 or for nesa.
You can use same low level controls, same tasks and same evidences, just include NESA in your scope and get customized NESA DASHBOARD.