NESA, The National Electronic Security Authority, is a government body tasked with protecting UAE’s Critical Information Infrastructure (CII) and improving national cyber security.Download a Solution Brief
To achieve this, NESA has produced a set of standards and guidance for government entities in critical sectors. Compliance with these standards is mandatory for regulators, CII Operators, and other relevant participating stakeholders who support critical national services in the following sectors and subsectors:
- Water and Electricity
- Oil and Gas
- Information System Telecommunications
- Public Administration: National Public Administration, Emirate
- Public Administration
- Emergency Services
NESA developed the National Cyber Risk Management Framework (NCRMF) based on best international practices and standards. The framework contains content on the Cyber Risk Assessor’s Guidelines and Tools, CIIP (Critical Information Infrastructure Protection Policy), and IAS (Information Assurance Standards). It also includes guidelines on the National Risk Management Plan, Risk Monitoring and Communications Methodology.
NESA lists 24 threats ordered by the percentage of breaches. It also documents the controls corresponding to each threat. This threat-based approach to an information security standard is certainly a step in the right direction to bridge the gap between IT risk and business risk.
OBJECTIVES OF NCRMF
- Introduces the Cyber Risk Assessor’s Guidelines with a pre-assessment checklist and outlines the framework components and glossary.
- Enhances the creation of National Cyber Risk Management Plan and explains how to implement different activities of the CII protection process and foster trust relationships between CII Operators, CIIP Working groups and NESA.
- Addresses step-by-step process to conduct risk assessments and outlines any sector-specific risk managementrelated requirements/criteria.
- Provides sector-specific requirements to identify critical services and associated business/ national impact.
- Provides a process to monitor risk treatment plan progress, CII operator internal self-assessments reports by establishing monitoring roles and responsibilities.
- Facilitate and encourage communications and best practices sharing between the CII operators and sector regulators/leaders.
- Provides tools and instructions to execute the Risk Assessments Methodology by determining threat levels and vulnerability severity ratings.
The MetricStream Solution provides the following benefits:
- Centralizing Repository of National Cyber Risk Management Framework and Content: The Solution will help in offering one-point access to multiple NCRMF frameworks, CIIP (Critical Information Infrastructure Protection Policy), Cyber Risk Assessor’s Guidelines, National Cyber Risk Management Plan and the IAS (Information Assurance Standards). The Pre-Assessment Checklist will provide a list of key documentation, configurations, manuals, etc. required to gain an initial understanding of the systems in scope of the assessment. Users can pick and choose from any of these options to manage their risks.
- Defining NCRMF System Characterization: It will offer an asset repository management capability to define (Critical Services, Function & and Business Criteria) and categorizes them based on NCRMF CIA categories (Confidentiality, Integrity and Availability) and factors (such as operational and , financial) to record and report the business impact of the resource, process or asset.
- Establishing a consistent Threat and Vulnerability Management: It will enable the risk taxonomy to be defined in a hierarchy to enable easy modeling of threats with agents, factors and vulnerabilities as listed in NESA. It will combine the vulnerability severity-rating of an asset with the business criticality-rating of that Asset into a Combined Risk Rating (CRR) thereby providing rich business and vulnerability context for vulnerability prioritization. The Combined Risk Rating can be appropriately configured through a GRC Business Rule as required by your business.
- Streamlining Cyber Risk Assessments: It will provide a central NESA risk management framework to simplify identifying and analyzing all risks in the Cyber operations of an organization enabling informed decision making to support business performance and overall management of business risks. The MetricStream Solution will enable a systematic and closed-loop process for planning , scheduling , and executing risk assessments across the enterprise.
- Enhancing Risk Assessments from Multiple Perspectives: Using the solution, companies can assess risks from multiple dimensions, including top-down and bottom-up. This flexibility helps them create a mature risk profile, and facilitates better transparency and visibility into cyber risks across the enterprise. It will enables implementation of business and organization specific algorithms for constructing to construct inherent risk score formulas, control score formulas, and residual risk score formulas. It also automatically updates residual risk scores reflecting the true risk profile as deficiencies are addressed through corrective actions.
- Enabling UAE IA Control Design and Evaluations: Once the key cyber risks are identified and prioritized, MetricStream leverages UAE IA Standards & and Frameworks to enable companies to define a set of controls that mitigate those risks. The Solution also allows associated policies and procedure documents to be attached for reference. Assessment plans to evaluate and ensure the effectiveness of the controls can be designed and assigned to owners based on roles and responsibilities. The system supports assessments based on predefined criteria and checklists and has a mechanism for scoring, tabulating and reporting gaps.
- Automating the Investigation and Remedial Actions: The Solution enables triggering automatic alerts and notifications to appropriate personnel for initiating immediate remedial actions to contain the impact of the incident and conduct investigations and root cause analyses. The investigation is driven by collaborative workflows that ensure responsiveness by assigning investigative tasks to an individual or a team with due dates based on severity level of the incident. Once a remediation is initiated, the case remains open till the action plan is carried out and results verified for effectiveness. Managers can track the status of the incident.
THE METRICSTREAM IT GRC SOLUTION
The MetricStream IT GRC Solution, comprising of IT- Risk, Security Threat and Vulnerability Management, and Compliance Apps, can be configured to provide a centralized NCRMF framework to identify and analyse all risks in the cyber operations of an organization, enabling informed decision-making to support business performance and the overall management of business risks.
The solution helps in automating and rationalizing cyber risk management processes with support for a federated risk analysis within units. It gives detailed visibility in risks, risk factors, mitigating controls and metrics (KRIs, KPIs etc.) with rich context. By automating the entire IT risk management process and workflow, right from risk identification and assessment scoring to mitigation and reporting, MetricStream Solution provide timely, actionable information to proactively address national cyber risks against corporate objectives.
Using the MetricStream Solution, organizations can also establish a consistent and repeatable threat management process. The Solution provides an easy way to harness massive amounts of security data, correlate it with other risk and compliance metrics, and transform it into meaningful dashboard reports to make informed decisions when vulnerabilities occur.
The Solution provides built-in fields to capture the status of assets, and flag them as critical or non-critical, based on various parameters. All asset information, including risks, IT control self-assessments, and control data is stored in a centralized library in a many-to-many manner. Using the Solution, users can define and maintain a centralized structure of the overall compliance and control hierarchy, including processes, asset repositories, risks for the processes and assets, controls to mitigate the risks, and programs to audit and assess the controls and the impacts. The Solution also includes associated policies and procedures, reporting requirements, and filing templates and schedules for the regulations.
These Apps are all stand-alone Apps with the option to connect to other MetricStream Apps including MetricStream IT Audit Management App, MetricStream IT Policy App, MetricStream Incident Management App, MetricStream Vendor Risk Management App, and MetricStream Business Continuity Management App.
- A built-in reporting engine for analytics and business intelligence and executive role-based user- configurable dashboards for graphical and drill down views of threats and vulnerabilities with risk assessments.
- Real-time tracking and monitoring of multiple sources and ability to configure automatic notifications or ’early warnings’ by leveraging threat advisories from different vendors, with the complete details of each threat, including the severity of the threat, CVE ID, source of the threat, affected technologies, available controls, linking threats to GRC libraries and possible remediation instructions.
- Secure web-based access for all users with appropriate views and tabs to initiate action against identified threats, respond to events, manage to-do lists and assigned tasks, and view reports and dashboards.
- A harmonized risk-control library to achieve consistency and compatibility among different risk measurements, methods, procedures, schedules, specifications/ systems. It also has an adaptive and flexible data model with configurable forms, fields, reports, and workflows which enable businesses to easily model and configure complex projects.
- Intuitive user tools such as visually appealing forms, easily navigable risk assessment tree hierarchies, visual drag and drop capabilities to create risk scoring algorithms, dynamic roll up and roll down cyber security risk reports, added or flagged visual indicators of risks, and dynamic tool tips.
- A robust security model consistent with role-based access to risk-control assessments. These are as per CII operatorspecific roles and responsibilities.
- Capability to easily integrate with external systems to retrieve, store, and deliver risk data