nesa on steroids

Click to edit Master title style

STRICTLY PRIVATE & CONFIDENTIAL © 2015

Click to edit Master text styles Second level

Third level

Fourth level

Fifth level


1

NESA on Steroids




Third level

Fourth level

Fifth level

2 STRICTLY PRIVATE & CONFIDENTIAL © 2015

NESA UAE IA Standard

Management Control Family• M1 Strategy and Planning• M2 Information Security Risk

Management• M3 Awareness and Training• M4 Human Resources Security• M5 Compliance• M6 Performance Evaluation and

Improvement

Technical Control Family• T1 Asset Management• T2 Physical and Environmental

Security• T3 Operations Management• T4 Communications• T5 Access Control• T6 Third-Party Security• T7 Information Systems Acquisition,

Development and Maintenance• T8 Information Security Incident

Management• T9 Information Systems Continuity

Management

The UAE IA Standard is divided into 2 families of security controls: Management and Technical security controls. The control families are further structured into control sub-families and individual controls and sub-controls. There are 188 security controls prescribed as part of the standard.

Security Control Priority

Total Count of Security Controls

P1 Controls 39

P2 Controls 69

P3 Controls 35

P4 Controls 45

Total 188




Third level

Fourth level

Fifth level


Acceptable Changes in the Implementation PrioritiesImplementing entities may alter (promote or demote) the suggested priority of controls based on the outcomes of their risk assessment, with the exception of top priority controls (P1), which if applicable, may be augmented but never reduced.




Third level

Fourth level

Fifth level


NESA Compliance ApproachThe implementation of NESA Compliance should be undertaken in 4 phases

Critical Services Identification

Gap & Risk Assessment

Control Development & Implementation

Control Effectiveness Check & Audit

Phase

1

Project Planning

Identify Critical Business Services across the organization

Identify Critical Information Infrastructures (CII) supporting critical business services

Phase

2

Assess existing control gaps vis-a-vis NESA UAE IA StandardAssess threats and vulnerabilities that can exploit the gapsIdentify Cyber security controls that will reduce the identified risksDefine a detailed NESA Implementation RoadmapPerform Data Classification

Phase

3

Develop P1 controlsImplement support for P1 controlsDevelop P2 ControlsImplement support for P2 ControlsDevelop P3 ControlsImplement support for P3 ControlsDevelop P4 ControlsImplement support for P4 ControlsConduct comprehensive security awareness program

Phase

4

Assess performance of the implemented controlsConduct pre-compliance auditAssist organization in meeting compliance to NESA requirements during the compliance audit.




Third level

Fourth level

Fifth level


Type 1 Implementation Plan- Entity Wise

Stage 1- Support Departments (IT, HR, Admin, Finance, Legal,

Compliance)

Stage 2-Customer Facing Departments

Stage 3-Back-end Operations Department

Full NESA Compliance for Support Departments

Phase 2

Phase 3Phase 4

Phase 1

Full NESA Compliance for Customer Facing Departments

Full NES Compliance for Back-end Operations Departments

Phase 2

Phase 3Phase 4

Phase 1 Phase 2

Phase 3Phase 4

Phase 1




Third level

Fourth level

Fifth level


Type 2 Implementation Plan- Control Wise

Stage 1- P1 Compliance (39 Controls) + P2 Compliance (23

Controls)- For All Depts.





Full Compliance to P1 controls for the entire organization

Phase 2Phase 3Phase 4Phase 1

Full Compliance to P3 controls for the entire organization

Full Compliance to P2 & P4 controls for the entire organization

Phase 2Phase 3Phase 4Phase 1 Phase 2Phase 3Phase 4Phase 1




Third level

Fourth level

Fifth level


P1 controlsSecurity Family Count of

ControlsStrategy and Planning 4

Information Security Risk Management

12

Awareness and Training 1

Human Resource Security 3

Asset Management 1

Operations Management 3


Access Control 12

Information Systems Acquisition, Development and Maintenance

1

Total 39

Sample List of Structural & Procedural Controls

Leadership and management commitment

Roles and responsibilities for information security

Information security risk management

Training needs

Removal of access rights

Management of removable media

Controls against malware

Information backup

User Access Management

Sample List of Suggested Technology Controls

Risk Management Tool

End Protection Solution for Anti-malware

Backup & restore solution

Identity & Access Management System

VPN

Vulnerability Scanning

Segregation of network




Third level

Fourth level

Fifth level


P1 controls Compliance with Paladion Expert Systems


Leadership and management commitment

Roles and responsibilities for information security

Information security risk management

Training needs

Removal of access rights

Management of removable media

Controls against malware

Information backup

User Access Management


Risk Management Tool

End Protection Solution for Anti-malware

Backup & restore solution

Identity & Access Management System

VPN

Vulnerability Scanning

Segregation of network

Ready to use knowledgebase & Experienced Consultants

NESA Compliant Risqvu GRC

NESA Compliant Managed End Point Service

NESA Compliant Managed End Point Service

NESA Compliant Paladion IAM Service

NESA Compliant Paladion Managed End Point Service

NESA Compliant Paladion Managed Security Testing & Monitoring Service





Third level

Fourth level

Fifth level


P2 controlsSample List of Structural & Procedural Controls

Third Party Security

Information security objectives

Awareness and training program

Human resources security policy

Internal audits

Asset Management

Physical & Environmental Security

Security Monitoring

Network Security

Cloud Security

Software Security

Cryptography

Incident Management


Compliance Management Tool

Asset Management Tool

Configuration Management Tool

DLP Solution

Wireless network security

SEIM Solution

Static Application Security Testing (SAST)/ Dynamic Application Security Testing (DAST) Tool

Cryptographic controls & Key Management Systems

Building Physical Security Systems

Building Environmental Control Systems

Security Family Count of Controls

Information Security Risk Management

1

Awareness and Training 6

Human Resource Security 5

Compliance 5

Performance Evaluation & Improvement

4

Asset Management 6

Physical & Environmental Security 5


Communications Security 4

Access Control 4

Third Party Security 5

Information Security Acquisition Development and Maintenance

8

Information Security Incident Management

3

Total 69




Third level

Fourth level

Fifth level




Third Party Security

Information security objectives

Awareness and training program

Human resources security policy

Internal audits

Asset Management


Security Monitoring

Network Security

Cloud Security

Software Security

Cryptography

Incident Management

Sample List of Suggested Technology ControlsCompliance Management ToolAsset Management Tool

Configuration Management Tool

DLP Solution

Wireless network security

SEIM Solution

SAST & DAST Tool

Cryptographic controls & Key Management Systems Building Physical Security Systems

Building Environmental Control Systems






NESA Compliant Paladion Managed Network Service


Advisory Services for implementation




Third level

Fourth level

Fifth level



Data protection and privacy of personal information

Performance evaluation policy

Classification of information


Security Monitoring

Electronic messaging

Information Transfer

Network Security

Software Security

Information systems continuity plans


Data Classification Solution

SIEM Solution

Change control & monitoring solution

Software testing & bug tracking solution

Media Shredding Devices


Awareness and Training 1Compliance 2Performance Evaluation and Improvement

1

Asset Management 3Physical and Environmental Security

7

Operations Management 4Communications Security 5

Access Control 2Information Security Acquisition Development and Maintenance

7

Information Systems Continuity Management

3

Total 35




Third level

Fourth level

Fifth level




Data protection and privacy of personal informationPerformance evaluation policy

Classification of information

Physical & Environmental SecuritySecurity Monitoring

Electronic messaging

Information Transfer

Network Security

Software Security

Information systems continuity plans


Data Classification Solution

SIEM Solution

Change control & monitoring solution

Software testing & bug tracking solution

Media Shredding Devices









Third level

Fourth level

Fifth level



Contact with authorities

Information systems audit controls

Supporting utilities

Capacity management

Connectivity to information sharing platforms

Teleworking

Third-party security policy

Control of operational software

Incident response testing

Information systems continuity management policy


Network Time Synchronization Solution

Network Access Control (NAC) Solution

Mobile Device Management (MDM) Solution

File Integrity Monitoring (FIM) Solution


Strategy and Planning 2Compliance 6Physical and Environmental Security 4Operations Management 4Communications Security 4Access Control 4Third Party Security 1

Information Systems Acquisition Development and Maintenance

9

Information Security Incident Management

10

Information Systems Continuity Management

1

Total 45




Third level

Fourth level

Fifth level



Contact with authorities

Information systems audit controls

Supporting utilities

Capacity management

Connectivity to information sharing platforms

Teleworking

Third-party security policy

Control of operational software

Incident response testing

Information systems continuity management policy


Network Time Synchronization Solution

Network Access Control (NAC) Solution

Mobile Device Management (MDM) Solution

File Integrity Monitoring (FIM) Solution




NESA Compliant Paladion Managed Mobile Devices





Third level

Fourth level

Fifth levelNESA Compliance Management Solution from Paladion




Third level

Fourth level

Fifth level


NESA Compliance Management Solution (NESA-CMS)

Managed NESA GRC Managed Network Security

Managed Endpoint Security

Managed Mobile Device Security

Managed Security Testing & Monitoring

NESA GRC Implementation

1

NESA Compliance Audit Support

2

Ongoing Sustenance of

NESA GRC3

Perimeter Security1

Web Proxy2

URL Filter3

Wifi Security4

Remote User Access Security

5

NESA Compliance Management Solution (NESA- CMS)

Solution Component 1





Endpoint protection

1

DLP2

Patch Management

3

Backup Management

4

Client VPN5

Mobile Device Management

1

Mobile Application Management

2

Mobile Email Management

3

Mobile Browsing Management

4

Mobile Endpoint protection

5

Security Testing1

Security Log collection & analysis

2

Log Retention3

Security Incident Management

4

Brand Monitoring5

NESA-CMS is a one-stop package for entities who are mandated by NESA to demonstrate their compliance to the stringent cyber security requirements of UAE IA standard.




Third level

Fourth level

Fifth level


Solution Component 1- Managed NESA GRC

Paladion delivers the NESA GRC program in a very compact model using RisqVU GRC solution. It has NESA compliant workflows, pre-defined NESA knowledgebase, reporting template and customizable capabilities based upon varying requirements from one organization to another.

Security AwarenessSecurity Leadership & Team Structure

Risk AssessmentBusiness Units

Products & Services

Business processes

Applications

Infrastructures

Facilities

Vendors

Security GRCProgram

Maturity Measurement

Audit & Tracking

Risk

Cyber SecurityRisk

Assessment

TechnologyRisks

Process Risks

Verification & ValidationSecurity GRC ProgramRisk AssessmentAsset Identification

Security Strategy

VendorRisks

Risk Management

Audit Management

Enterprise Dashboard

Awareness

Administration




Third level

Fourth level

Fifth level


Solution Component 2- Managed Network Security

The implementation of Solution Component-2 will include deployment & ongoing administration of perimeter security devices e.g. firewall & IPS, web proxies, URL filter, Wi-Fi security, remote user access security etc. Implementing entities will have the choice to select the desired technologies as per the technology requirements of UAE IA Standard.

• We provide ‘complete network security package’ in a service model – network security technologies bundled with comprehensive services for deployment, management, operations, monitoring and support delivered remotely from SOC

• You do not need to procure any technology, hardware or software and build security skills to deploy, manage and operate the network security set-up

• Simplified and fast deployment and operations in an opex model with zero upfront capex

Fully Managed Service

• We provide all the services that you need for robust protection of your network security on 24x7 basis – network security management, operations, monitoring & support - from our ISO 27001 certified SOC managed by security experts to give you peace of mind that your network is protected against threat at all times

• Pre-configured policies & rules based on industry best practices that can be modified to suit your requirements• Easy policy & configuration management, monitoring, enforcement and prompt response in case of any events

Continuous 24x7 Protection

• You get access to our Customer Portal which provides real-time security and service delivery visibility into the status of your network security and other security services delivered by Paladion OnDemand. This helps you achieve a better & unified control on your security outcomes.

• The portal can be accessed from anywhere at anytime, thus providing an “Always-on” 24x7x365 Visibility of your security posture with respect to network security. Customers can use the portal to view security and compliance reports & dashboards, and also interact with our SOC through ticketing workflow management.

“Always-On” Unified Visibility

and Control

• Customer Portal provides you with a complete, 24x7 visibility into the outcomes of network security services, with on-demand reporting.

• You get intuitive and easy-to-read reports and dashboards to meet the requirements of management as well as technical personnel and several regulatory requirements

• You can get to see several pre-built reports and dashboards, as well as define your own custom reports and dashboards

Comprehensive Reports &

Dashboards

• Our service enables you to demonstrate regulatory compliance to auditors quickly and effectively. • We have pre-built and customizable report templates that helps generate consolidated reports to meet compliance

requirements. • You do not need to invest time and efforts to get data from several sources to be able to show compliance to auditors.

Easily meet & demonstrate

regulatory compliance

Firewall/IPS

Gateway Anti-virus

Botnet Filtering

Wi Fi

Policy and Configuration Management

URL/Web Content Filtering

VPN & Roaming User Management

Compliance & Monitoring

Proxy Caching

Bandwidth Control

Geo-IP Filtering

Web 2.0 Controls

Customer Portal

Reports & Dashboards




Third level

Fourth level

Fifth level


Solution Component 3- Managed Endpoint Security

The implementation of Solution Component-3 will include deployment & ongoing administration of endpoint protection solution, DLP agent, patch management solution, backup & restoration solution, client VPN etc. Implementing entities will have the choice to select the desired technologies as per the technology requirements of UAE IA Standard.

• We provide ‘complete end point security package’ in a service model – end point security technologies bundled with comprehensive services for deployment, management, operations, monitoring and support delivered remotely from SOC

• You do not need to procure any technology, hardware or software and build security skills to deploy, manage and operate the end point security set-up



• We provide all the services that you need for robust protection of your end point security on 24x7 basis – end point devices security management, operations, monitoring & support - from our ISO 27001 certified SOC managed by security experts to give you peace of mind that your end point devices are protected against threat at all times



• You get access to our Customer Portal which provides real-time security and service delivery visibility into the status of your end point security and other security services delivered by Paladion OnDemand. This helps you achieve a better & unified control on your security outcomes.

• The portal can be accessed from anywhere at anytime, thus providing an “Always-on” 24x7x365 Visibility of your security posture with respect to end point devices security. Customers can use the portal to view security and compliance reports & dashboards, and also interact with our SOC through ticketing workflow management.

“Always-On” Visibility and

Control

• Customer Portal provides you with a complete, 24x7 visibility into the outcomes of end point security services, with on-demand reporting.




Dashboards





Anti-Virus/Anti-Malware

Firewall

Desktop Compliance

Inventory


Device Control

Application Control


Back-up (local)

Client VPN

IT Usage/Productivity

Patch Management

Customer Portal





Third level

Fourth level

Fifth level


Solution Component 4- Managed Mobile Device Security

The implementation of Solution Component-4 will include deployment & ongoing administration of mobile device management solution, mobile application management module, mobile email management module, mobile browsing management module, mobile endpoint protection module etc. Implementing entities will have the choice to select the desired technologies as per the technology requirements of UAE IA Standard.

• We provide ‘complete mobile devices (including BYOD) security package’ in a service model – MDM/EMM technologies bundled with comprehensive services for deployment, management, operations, monitoring and support delivered remotely from SOC

• You do not need to procure any technology, hardware or software and build security skills to deploy, manage and operate the Mobile Devices/BYOD security set-up



• We provide all the services that you need for robust protection of your mobile devices/BYOD set-up on 24x7 basis - mobile devices security management, operations, monitoring & support - from our ISO 27001 certified SOC managed by security experts to give you peace of mind that your corporate data on the mobile devices are protected against threat at all times



• You get access to our Customer Portal which provides real-time security and service delivery visibility into the status of your mobile devices security and other security services delivered by Paladion OnDemand. This helps you achieve a better & unified control on your security outcomes.

• The portal can be accessed from anywhere at anytime, thus providing an “Always-on” 24x7x365 Visibility of your security posture with respect to mobile devices security. Customers can use the portal to view security and compliance reports & dashboards, and also interact with our SOC through ticketing workflow management.

“Always-On” Visibility and

Control

• Customer Portal provides you with a complete, 24x7 visibility into the outcomes of mobile devices/BYOD security services, with on-demand reporting.




Dashboards





Mobile Device Management (MDM)

Mobile Application Management (MAM)

Containerization and App Wrapping

Anti-Virus


Mobile Email Management (MEM)

Mobile Browsing Management (MBM)


Location Tracking

BYOD Management

Geo-Fencing

Mobile Kiosk Management (MKM)

Customer Portal





Third level

Fourth level

Fifth level


Solution Component 5- Managed Security Testing & MonitoringThe implementation of Solution Component-5 will include deployment & ongoing administration of security testing e.g. penetration testing, application security testing, configuration review etc., security log collection & analysis on a 24/7 basis, log retention, security incident management support, brand monitoring service e.g. phishing monitoring, website malware monitoring etc. Implementing entities will have the choice to select the desired technologies as per the technology requirements of UAE IA Standard.

• We provide ‘complete security monitoring package’ in a service model –security monitoring technology (SIEM) bundled with comprehensive services for deployment, management, operations, monitoring and support delivered remotely from SOC

• You do not need to procure any technology, hardware or software and build security skills to deploy, manage and operate the security monitoring set-up



• 24x7 security monitoring of your IT infrastructure for detection of both external and internal attacks• Our security monitoring platform automates collection, aggregation and analysis of security logs from multiple sources

covering all standard devices and platforms (servers, routers, firewalls, databases, applications and other systems• Pre-configured automated rules, alerts and reports based on industry best practices and regulatory requirements, for both

management executives and technical team• Risk based prioritization of alerts to focus mitigation efforts on higher priority events


• You get access to our Customer Portal which provides real-time security and service delivery visibility into the status of your security monitoring and other security services delivered by Paladion OnDemand. This helps you achieve a better & unified control on your security outcomes.

• The portal can be accessed from anywhere at anytime, thus providing an “Always-on” 24x7x365 Visibility of your security posture with respect security monitoring. Customers can use the portal to view security and compliance reports & dashboards, and also interact with our SOC through ticketing workflow management.

“Always-On” Unified Visibility

and Control

• Customer Portal provides you with a complete, 24x7 visibility into the outcomes of security monitoring services, with on-demand reporting. You get intuitive and easy-to-read reports and dashboards to meet the requirements of management as well as technical personnel and several regulatory requirements. You can get to see several pre-built reports and dashboards, as well as define your own custom reports and dashboards

• Daily Security Insights / Monthly Security Insights and Compliance Reports• Pre-configured automated reports to meet several compliance requirements such as PCI, HIPAA, Central Bank guidelines,

etc


Dashboards


requirements. You do not need to invest time and efforts to get data from several sources to be able to show compliance to auditors.

• Automated monitoring and alerting of compliance related events



Security Logs Collection/Aggregation

Security Logs Analysis

Incident Management Support

Daily Malware Monitoring for Websites

Rules & Alerts Management

Configurable Log Retention

Multiple Devices/Platform Support

Compliance Automation

Alerts through Email/SMS/Portal

Detect both internal & external attacks

Risk-based Alert Prioritization

24x7 Monitoring from SOC

Customer Portal





Third level

Fourth level

Fifth levelNext Steps to Proceed




Third level

Fourth level

Fifth level


How to check Your Current Compliance Level?Use our current compliance indicator tool to quickly check your current compliance level vis-à-vis NESA UAE IA Standard. Tool will automatically generate compliance level based upon your responses to the short questions on management & technical security controls as prescribed in NESA UAE IA Standard.