The Information Security Regulation (ISR) version 2 was issued in 2017 by the Dubai Government to enhance the previous 2012 version.
The new version demonstrates leadership in information security and privacy in the Middle East. Given business services are heavily reliant on technology, this standard becomes the foundation for successful and secure business services, with secure technology a critical component of business activities.
Key changes in ISR version 2 are:
- Emphasis on application of the regulation to all public sector entities of the Dubai Government entities (DGEs).
- Inclusion of information security principles in all relevant aspects of managing DGEs.
- Involving DGE Director-Generals in their ISR steering committee.
- Requiring a comprehensive risk assessment in DGEs.
- Separating the Chief Information Security Officer (CISO) from Information Technology (IT) and creating a new reporting channel between CISO, top management and the ISR steering committee.
- A new domain added to incorporate information security requirements for cloud security.
While, ISR version 2 does not introduce fundamental changes on how information security should be implemented in DGEs, it does introduce enhanced management and governance methods. This article provides commentary on the enhanced standard.
The new Information Security Regulation (ISR) version 2 introduces enhanced information security and privacy.
ISR version 2 implementation
In September 2017, HH Sheikh Mohammed bin Rashid Al Maktoum, Vice-President and Prime Minister of the UAE and Ruler of Dubai launched the Dubai Cyber Security Strategy which aims to strengthen Dubai’s position as a world leader in innovation, safety and security. A key component of this is the ISRs.
The purpose of the strategy is to build a secure information society, specifically among DGEs. This means the Cyber Security Strategy and information security objectives will be an integral part of every service provided in DGEs. Five guiding principles and five domains containing domain-relevant objectives are identified, so the Cyber Security Strategy is cascaded through public sector, corporate organisations, individuals, customers and users. While corporate organisations have some autonomy in how to implement ISR requirements, the public sector is obligated to implement them. It is intended there will be audit and assurance activities to assure effective implementation of the ISRs.
ISR implementation is in DGEs that have already implemented, fully or partially, ISR version 1 or another Information Security Management System (ISMS). Most DGEs have a pre-existing ISMS, meaning implementation is a matter of assigning existing capabilities to meet the requirements of ISR version 2. No new services or positions will need to be introduced as a DGE can implement ISR version 2 with simple restructuring. The aim is to have ISR implemented across all DGEs and then assure it is operating effectively.
The diagram below illustrates how development of security starts with a policy and ends with a specific control reviewed by assurance activities. ISR version 2 is meticulously constructed as shown below.
ISR focus on governance
The magnitude of effort to comply with ISR version 2 lies in five steps as follows:
- Information Security Steering Committee (ISSC) constitution and sign-off on ISR policies and procedures.
- Successful collection of asset register information.
- Design and implementation of a workable risk assessment methodology.
- Conducting an entity-wide information security awareness campaign.
- Sign-off of user acceptance policy, including all information security policies.
These steps are a prelude to the requirements to involve management and enforcement of policies and procedures for all domains. Hence, ISR version 2 governance requirements provide that Director-General or CEO, together with divisional managers or heads, be involved in the ISSC as participants. The idea is to actively involve them in ISR implementation activities. This requires effort in the following spheres.
Good governance requires performance measures (KPIs) to be identified that link desired outputs and outcomes. For example, Directors-General may not know intimately capacity management, but if a KPI figure is 80% and this is exceeded, then early warning is achieved.
Another change is Chief Information Security Officer (CISO) reporting to the Director-General or ISSC, which represents a change from ISR version 1 to ISR version 2. This is aimed at providing a CISO with direct access to decision-making senior management. ISR version 2 provides “A capable and independent position should take the responsibility of managing information security”. On a practical front, this change may bring challenges on how to enforce it, which could be in the form of:
- Redesign of information security policies and procedures.
- Modification of CISO job description.
- Adjustment of job descriptions for information security department staff
- Addition of ISSC tasks.
- Formulating report templates and formalizing periodic and routine tasks.
As a vital part of ISR governance aspect, risk assessment is required for two main objectives. The first is to refine existing policies and procedures on a regular basis. The second is define how to cap effort in the internal audit plan for audit of high-risk areas that require considerable audit effort.
Cloud computing introduces a new set of risk and control implications. ISR version 2 has added a new domain to cater for cloud security. For security reasons, cloud services are to be provided only though local UAE companies with no data stored offshore. While cloud security may not apply to some DGEs, the requirement is to have cloud services contracted to service providers operating in the UAE. This means if there are pre-existing contracts with offshore companies, the DGE will need to revise their existing contract arrangements.
Auditing ISR version 2
ISR is a regulatory document which defines information security law in the UAEs. This means planning ISR auditing needs to consider:
- Law and regulations (Reference: ISR version 2 Section 11.1 Compliance with Federal and Local Government Legal Requirements).
- Internal DGE policies and procedures.
- Other information security standards implemented.
These additional considerations add a burden on audit planning, with the auditor needing to cross-match these inputs to develop an audit plan incorporating regulatory requirements.
ISR audit in action
A specific approach to ISR audit planning is required to ensure the audit does not miss any vital part of related legislation. The audit approach has to factor in specifics of the DGE being audited. Audit clients tend to be critical of auditor approach and lack of subject matter knowledge. A cyclical audit approach such as shown in the following diagram can be useful to ensure focus on the audit objectives.
Planning for an ISR audit
ISR version 2 implementation comes with laws and regulations to consider. For this reason, planning an ISR audit can involve numerous sources which are shown in the diagram below. Auditors will use a risk assessment to help plan their audit. They also need to consider laws that apply to every department at the DGE. SUCH AS? To do that, auditors have to prioritize their inputs to develop a workable audit work plan. The diagram below illustrates some of the sources that ISR auditors may consider in planning an ISR audit.
Conducting the ISR audit
Conducting the ISR audit might be crippled with busy schedules and confirming finding, on the other hand, might be crippled with defensiveness or misunderstanding; however, asking the right question portraits diligent understanding the interviewee favor. This will make the best of the time and reduces misunderstanding to smoothen the interview.
To achieve this, the auditor has to think of standardization. In other words, what is common among all departments and what are the specifics. The aim is to gather common fields, spread those fields across all departments, and add to each department its specific fields of the questionnaire. This will make consolidation of answers and feedbacks faster than collating individually designed questionnaires.
Most DGE departments are busy, with their schedules subject to change. Audit work should be well-planned so there is minimal disruption to audit clients. Proactively asking audit clients to provide their time availability allows for practical planning to make the best of the time available from DGE employees. The table below illustrates an example of how to capture audit client availability when planning the audit schedule.
Reporting ISR audit results
The most important part of an ISR audit is concluding the audit and communicating the results to stakeholders. A workable approach to avoid resistance and defensiveness is to work with the audit client to validate the audit outcomes and to develop effective action plans to re-mediate risks identified by the audit.
The audit report should address the needs of multiple stakeholders such as the ISSC, technical areas, and users. Reporting to the ISSC can generally be a high-level summary to assist with decision-making. Reports should specify areas where improvement is required. Technical reporting aspects should focus on practical matters related to the design and configuration of technology services that need improvement.
Finally, action plans should provide a clear summary of action required, who is responsible, and an agreed time frame for implementation.
The sample below can further be reduced to three fields such as control, requirements, and action. The objective is for the user to implement cost-effective controls that work.
Cloud computing introduces a new set of risk and control implications.
ISR version 2 sheds light on what is needed to have effective information security. It is an opportunity for organisations to learn from the discipline brought by ISR and to build strong information security capability.