National

Security Strategy
 Structure of National Cyber Security Plan (NCSP)

High
Level Policies Detailed Policies Standards

UAE National Cyber National IA Framework, Common Cyber Security

Security Strategy CIIP, National IR,... Standards, Sector-Specific Cyber
Security Standards,

Policies established by Top-level and supporting Detailed standards

NCSP that create entire policies within each outlining specific security
work programs strategic domain control requirements

Increasing Level of Detail 02

Main National Cyber Security
Policies

03
The telecommunication regulatory authority has issued a number of important policies and
standards to identify national trends in the field of cyber security and to unify
efforts in this regard

THE NATIONAL CYBER THE NATIONAL INFORMATION CRITICAL INFORMATION NATIONAL INFORMATION
SECURITY STRATEGY ASSURANCE FRAMEWORK INFRASTRUCTURE ASSURANCE STANDARDS
PROTECTION POLICY

04
Cyber Security Strategy Framework

Lead ersh ip
nal
io

t
Na
3 4

de
ty e and Pre F

Provi
par

ili

os
The National Strategy aims at re v

Natio Capa b

ter
en
P
To establish a path to achieve

Cola boration
1 Secure

nal
the national vision to secure Cyberspace
2
state information and advice.

er
Re

ov
sp
ec

ild
ond
and R

Bu
In order to do so, this national
strategy is designed from five
core areas:
5

05
The national cyber security strategy aims to chart a path to achieve the national vision to secure national information and
communications. In order to do so, this national strategy has been designed from five core areas:

Strategic Focus Areas Definition Main Objectives

Prepare and Prevent Strengthen the security of UAE cyber assets Elevate the Minimum Ensure Compliance to UAE
and reduce corresponding risk levels Protection Level of Cyber Cyber Security Standards
Assets and Verify Effectiveness

Respond and Recover Manage incidents to reduce impact on Develop and Embed Improve Threat
society and the economy Incident Response Neutralization
Management Capabilities Capabilities

Build National Cultivate cyber security research and Inform and Educate UAE Foster Cyber Security
Capability innovation and develop UAE’s workforce to Public and Workforce Research and Innovation
meet cyber security needs

Foster Collaboration Foster collaboration between national Cultivate a Collaborative Leverage and Contribute
and international stakeholders to catalyze National Cyber Society to International Efforts
cyber security efforts

Provide National Provide national leadership to orchestrate Develop National Cyber Coordinate and Guide
Leadership local and emirates cyber security initiatives Security Strategy and National Cyber Security
at the national level Implementation Initiatives Implementation

06
Principles of Successful NCSS Implementation

Integrated Planning Shared Operational Monitored Progress

Responsibilities and Improvement

The importance of the involvement of all key stakeholders To ensure effective implementation, it is • Follow up the implementation stages
in the integrated planning process to ensure: essential that the various entities and the effectiveness of the results to
• Permanent cooperation and joint activities among all involved at the operational level and ensure appropriate improvements and
stakeholders participate in various cyber security overall success of the program.
• Identify existing challenges and ways to overcome them initiatives and activities. • Ensure effective performance
• Disseminate relevant information to reach the management, support and guidance.
competent authorities in a timely manner
• Reduce gaps and overlap between different initiatives
and activities.

07
The NIAF outlines the entity, sector and national contexts of IA through a lifecycle-based approach supported by a set of UAE
standards, effective information-sharing capability and a comprehensive governance program governed by TRA

1 Entity Context Risk-based approach to identifying and protecting

key information assets within an entity
Framework
2 Sector and National Value-added components that establish the links from an
Context individual entity to the sector and national context

3 Information Sharing Primary mechanism for entities to effectively exchange

information with external actors

4 UAE Standards Common, sector-specific and product/service-specific

standards applicable to specific or across all stakeholders
UAE National
IA Framework
5 National IA Governance Management elements needed to monitor progress and
successfully implement the national IA framework

08
Through this framework, TRA aims to ensure a minimum level of IA capabilities within all UAE entities and
establish a common approach that allows them to interact with each other and approach IA with a sector
and national perspective.

National Level
NCSA issues and manages the UAE NIAF and
supporting standards, and is responsible for Public Administration
maintaining the national IA context Health
Water & Electricity
Emergency Services
Sector Level ICT
Sector regulator collaborates with NCSA and operators Government Sector
for the implementation of UAE NIAF and sector-specific Financial
standards, and is responsible for maintaining the sector IA context Chemical
Nuclear
Oil & Gas
Entity Level
Within a sector, entities apply the UAE NIAF and are
responsible for maintaining the entity IA context

tion n
tion 1
n
Operator n
Operator 1
rn

Operator 1

n
r1
tor 1

Provider n
Provid er 1

Operator

tor
rato
Operato

n
y1
n
ty n
y1
n
1

Ins tit u
u
ty 1

era
y
Opera
Entity
ity

t
ity

Entit
t
e
ti
Entit

i
Enti

Ent

Op
i

p
Ent
Ent
Ent

O
In
09
 The purpose of this policy is to identify and develop the necessary application programs to protect Critical information
infrastructure:

Identification of programs for the protection of Critical information infrastructure

1
Policy
Develop a general national approach to identify critical information infrastructures
2

Identification of electronic security requirements for Critical information infrastructures

3 and compliance areas

Defining the main roles and tasks of the main stakeholders

4
Protection of Critical
Information Infrastructure
Develop a general approach to enhance cooperation and communication between
5 Critical sectors

10
The policy also sets out the key stages of applying risk reduction to critical information infrastructures

Stages of risk reduction

Reducing risks in vital sectors
High
Financial sector Conduct Sector • Prioritization of Sectors for Implementation
Baseline • Engagement of Stakeholders
• Identification of Critical National Services
Transportation
Perform Sector/ • Identification of Supporting Critical Information Infrastructure
Re

National Risk Threat and Vulnerability Assessment

d

•
uc

Assessment
eR

Impact • Sector and National Cybersecurity Risk Assessment

isk

Electricity and water

Define Sector • Identification of CII Cybersecurity Requirements
Plans • Definition of Sector Plans
Oil and gas
Monitor • Implementation of Sector Plans
Critical
Low Implementation • Monitoring of Implementation
information High Security vulnerabilities Low of Sector Plans
infrastructure

11
National standards for information security protection
General standards

12
The Information Assurance is a superset of information security; it covers much broader range of information protec¬tion and
management aspects including business/information continuity, disaster recovery, compliance, certification and accreditation, etc.

1 Increase level of protection Provide minimum requirements to increase the level of

The Common protection of information systems and supporting systems
Standard
2 Prioritization of controls Applying the standards by a methodology that takes into
consideration potential risks

3 Defining roles and Applying the standards by a methodology that takes into
responsibilities consideration potential risks

4 Standards applicability Complements the information security standards

to other criteria currently in place in the relevant authorities
The Information
Assurance Standards 5 Source of unified national Providing unified national standards to ensure the security
standards: of information in all concerned entities in the country

13
 Standards development stages
Several leading international standards in information security have been analyzed and studied as a key reference to the
development of The Information Assurance Standards

Outcomes
Leading standards for Analysis results
Information assurance standards Axes of analysis

NIST SP
27001 27002 800-35

UAE Information
Assurance Standard
• Scope of controls 1-100

ADIC • Controls details

InfoSec Standards • How easy to use The standards for the UAE have
SANS 20 been developed,
• Prioritization of controls
• Implementation results and To include the most important
global recognition areas of other standards

14
The standards consist of two main sets of security controls (administrative and technical), there are 188 controls distributed over
15 main areas and prioritized according to four priorities.

Priority 4 45
Priority 2 69

Priority 3 35
Priority 1 39
Administrative Strategy and planning
security controls: Information security management
Awareness and training
Human Resources Security
Audit and compliance
Assessment and performance improvement

Technical security Asset Management

controls: Facilities and environment security
Operations Management
Telecommunications
Access control
Security requirements for contractors (third party)
Purchase, development and maintenance of information systems
Information security incidents management

15
 The entities will participate in the implementation of the INFORMATION ASSURANCE STANDARDS and the development of
sector standards in accordance with the Critical information infrastructure protection policy through communication and
cooperation with the relevant critical entities

Summary of roles:

Working group Critical • It is important to involve in critical information infrastructure

information infrastructure protection sectors working group and gradually active them to
The entities protection protect CIIP.
• A working group of Technical Standard experts will continuously
focus on discussing technical topics to prepare the standards and
Expert Working Group implementation mechanism.
of Technical Standards • Through the establishment of the response teams, TRA seeks to
develop and activate the response plans for cyber space
incidents and continuously do development and train the plans.
• There will be a major role and task to each entity to contribute in
the workgroup.
Cyber security incidents • It is important to ensure the cooperation and effectiveness of
response teams information sharing and exchange between TRA and the entities.

16