NESA Standard Ensures Security of UAE’s Cyberspace

To allay dependence on oil revenue and expand the private sector, the United Arab Emirates (UAE) has committed, in recent years, to establishing a knowledge-based economy. Consequently, they have become a formidable competitor in Information Communication Technology (ICT). As the ICT industry has grown, so have government agencies to regulate it, namely the Signals Intelligence Agency, formerly known as (and often still referred to as) the National Electronic Security Authority (NESA).

As ICT services imbue nearly every sector within the UAE – transportation, retail, financial services, hospitality, aerospace, and more – NESA’s importance in the UAE economy has only become more paramount.

What is UAE NESA (Now SIA)?

The National Electronic Security Authority is a federal authority of the United Arab Emirates responsible for developing, monitoring and supervising the implementation of cybersecurity strategies, policies and standards for UAE critical information infrastructure. These strategies, policies, and standards are known as the UAE Information Assurance (IA) Regulation, sometimes known as NESA regulatory compliance, and widely referred to as simply “NESA standards.”

NESA compliance is mandated to all UAE government bodies and business organizations identified as critical infrastructure. Established in 2014, the NESA agency has since been renamed the Signals Intelligence Agency (SIA) and is responsible for enhancing the UAE’s information security measures to this day. The primary goals of this organization are to serve the UAE by:

• Achieving cyber resilience
• Developing cyber defense capabilities
• Securing critical infrastructure
• Reducing cybercrime

The National Electronic Security Authority standard draws on a number of already established security standards and guidance (such as ISO 27001 and NIST).

If you want the hierarchy, here’s how it works out.

1. NESA (now SIA) heads the UAE’s cybersecurity sector.
2. NESA developed and now governs the UAE National Cyber Security Strategy (NCSS).
3. The NCSS defines the protection requirements of UAE cyberspace.
4. The primary standard to follow for NESA compliance is the UAE Information Assurance Standards (UAE IAS).

The Hot Cyber Climate that Created NESA

While the need to protect a nation’s critical infrastructure hardly needs explanation, here are some of the circumstances that surrounded the creation of UAE NESA just over a decade ago.

The year following NESA’s creation, the Kaspersky Security Bulletin Overall Statistics Report listed the UAE as 19th in a list of countries facing the greatest risk of online attacks. A third of UAE firms were hit by data breaches that year alone, revealed a survey by KPMG. Aware of these and other threats online, the UAE government decided to implement substantial measures to enhance its cyber security strategy. “We aim to create a digitally secure environment with the emphasis on shared responsibility,” Saif Al Nuaimi announced at the first RSA Conference in Abu Dhabi.

“Cybersecurity is one of the biggest economic and national security challenges countries face in the 21st century,” explained Jassem Bu Ataba Al Zaabi, Director General of NESA. “The NESA was established in line with this modern reality, and as soon as the authority was in place, we immediately initiated a thorough review of the federal efforts to defend and protect the nation’s ICT infrastructure.”

What Are the UAE NESA Controls?

The UAE IAS lists 188 security controls using a prioritized approach. They are separated into two groups:

UAE NESA: Management Controls Family

• M1: Strategy and Planning
• M2: Information Security Risk Management
• M3: Awareness and Training
• M4: Human Resource Security
• M5: Compliance
• M6: Performance Evaluation and Improvement

UAE NESA: Technical Controls Family

• T1: Asset Management
• T2: Physical and Environmental Security
• T3: Operations Management
• T4: Communications
• T5: Access Control
• T6: Third-Party Security
• T7: Information Systems Acquisition, Development, and Maintenance
• T8: Information Security Incident Management
• T9: Information Security Continuity Management

These controls are classified into four priority groups based on their effectiveness in mitigating common threats. Specifically, NESA has identified 24 common threats through analysis of industry findings. PI addresses the highest priority threats, and P4 addresses the lowest. Notably, PI addresses a full 80% of all NESA-identified security threats.

UAS NESA Risk Assessments

The National Electronic Security Authority requires organizations to have a program in place to assess risk and manage vulnerabilities. These risk assessment requirements resemble the ISO 27001 Standards. Based on their results, organizations will be required to apply additional (non-mandatory) IAS sub-controls.

• 136 IAS sub-controls are mandatory, regardless of risk assessment results.
• 564 IAS sub-controls are non-mandatory and based on risk assessment results.

Under NESA standards, organizations are also expected to regularly review and monitor any threats, risks, and vulnerabilities within their enterprise.

The UAE and NESA Today

Recent research reveals that a staggering 87% of UAE companies have faced cyberattacks in the past 24 months, with a quarter of them coming from the inside. Only 15% of UAE respondents believe their organization is prepared to defend against insider threats, and the nation faces an 18% increase in its cyber workforce demand.

The UAE’s bursting digital economy and increasing use of data may be more than partly to blame, as complex regulatory requirements react and established company security policies strain to keep up. To be a place where rapid digital advancement can not only survive but sustainably thrive, cybersecurity regulations like UAE NESA need to be adopted as quickly, readily, and permanently as the new technologies themselves.