(National Electronic Security Authority)
What is NESA compliance?
NESA stands for National Electronic Security Authority and is a government institution that aims to provide strict guidelines to organizations for keeping their information security capabilities in line with the highest standards to avoid cybersecurity threats. The compliance requirements are outlined under the UAE IA Standards which require organizations to implement them across their information assets and supporting systems.
Compliance with NESA UAE IA Standard is mandatory for all UAE government entities and other entities identified as critical by NESA as it is an essential facet of the National Cyber Security Strategy and also form as the minimum requirements for integrating the Sector and National platforms. For all other UAE entities, NESA highly recommends following the guidelines on a voluntary basis, in order to participate in raising the nation’s minimum security levels.
Organizations that follow these compliance requirements attain a number of benefits including greater protection of their information assets and fostering a security-conscious culture that is useful for overcoming emerging security challenges.
What does NESA involve?
The UAE IA Standards promote a life cycle approach for establishing, implementing, maintaining, and continuously improving Information Assurance. This life cycle approach ensures continual improvement of the UAE’s Information Assurance capabilities based on well-defined activities.
An entity’s and/or sector’s information security requirements and the need to establish a policy and objectives for information security
Conducting Risk assessments, identifying appropriate risk treatment actions, and selecting controls to manage the risks
Implementing security controls to manage information security risks in the context of the entity’s or sector’s overall business risks
MONITORING and ENSURING
Performance and effectiveness of the information security processes and Ensuring continual improvement based on objective measurements
NESA Compliance Approach
The implementation of NESA Compliance should be undertaken in 4 phases
CRITICAL SERVICES IDENTIFICATION
Project Planning, Identify Critical Business Services across the organization, and Identify Critical Information Infrastructures (CII) supporting critical business services.
Gap and Risk Assessment
Assess existing control gaps vis-a-vis NESA UAE IA Standard, Assess threats and vulnerabilities that can exploit the gaps, Identify Cybersecurity controls that will reduce the identified risks, and Define a detailed NESA Implementation Roadmap Perform Data classification.
Control Development and Implementation
Develop P1, P2, P3, P4 controls Implement support for each and conduct comprehensive security awareness program
Control Effectiveness Check & Audit
Assess the performance of the implemented controls, Conduct pre-compliance audit and Assist the organization in meeting compliance to NESA requirements during the compliance audit