NESA ‘s IAS Standards are a threat-based approach that guides the organization in establishing relevant security controls. Based on 24 threats identified by NESA from various industry reports in 2012, every security control mapped was designed to mitigate most of the identified threats which accounts for nearly 80% of the reported breach. With security controls categorized based on priority ranging from P1 to P4 which mean Highest priority to the lowest is established in the IAS guideline. The standard introduced is typically a threat-based approach rather than an asset-based approach which is certainly the right step towards bridging the gap between IT Risk and Business Risk. NESA is a comprehensive standard (Learn more about NESA’s IAS Standard) but may not necessarily protect against highly advanced threats. However, it does cover both Management and Technical control areas, but not in detail with activities specific to each organization.
Let us today understand the Audit and Compliance Process that NESA has drawn out in its guidelines introduced.
Audit and Compliance Process
NESA’s enforcement of Compliance based on a tiered approach. The level of risk that your organization poses to the UAE information infrastructure, determines how NESA and the other regulatory bodies work with you in enforcing Compliance. The level of risk is determined based on both the results of your current security controls and the inherent risk of the industry. The below-given table draws out how compliance to the requirements are enforced and its impact on the organization in question.
| Escalation of Compliance Process |
Impact |
| Reporting | Maturity-based self-assessment by stakeholders in line with mandatory Compliance requirements. |
| Auditing | When appropriate, NESA has the power to conduct an audit on stakeholders by requesting specific evidence in support of the self-assessment report. |
| Testing | NESA also holds a right to commission test of information security measures in place at stakeholders. |
| National Security Intervention | In extreme cases, NESA may directly intervene if they find the activities are leading to high-level national security risks. |
With mandatory standards such as the IAS, there is no specific penalty prescribed by NESA. However, the escalation of scrutiny from regulators and NESA can quickly add up if found non-compliant and pose a great risk to the UAE’s information security Infrastructure. Moreover, non-compliance certainly leaves the organization exposed to the threat which has a far-reaching impact on business than, the penalty itself could affect.
How can VISTA Infosec help organizations achieve Compliance?
VISTA InfoSec is a highly reputed Infosec consulting company, having a global reach and presence across the USA, Singapore, and India with partners in the Middle East including UAE. With 16 years of experience in the Compliance and Regulation field makes them the most preferred choice among others for their Advisory and consulting services. Having said that, the company can help businesses across the UAE achieve Compliance as per NESA Standards and secure their infrastructure from potential threats. Their team of Compliance consultants and expert advisors can help organizations achieve Compliance by identifying and addressing the gap areas in their Information Infrastructure and secure their systems from potential threat/attack/breach. To learn more about our services you can visit our website www.vistainfosec.com
