Strategic Alignment of Information Security Across Dubai Government. Dubai Government Information Security Regulation (DGISR)

Transcription

1 Strategic Alignment of Information Security Across Dubai Government Dubai Government Information Security Regulation ()

2 Government of Dubai 40+ Government Entities across many sectors v1.1 2

3 egovernment Initiative Launched in early 2000 Started with 14 Services in 2001 Now includes over 1500 electronic services سمو الشيخ محمد بن راشد آل مكتوم : دبي بحاجة إلى أن تصبح اقتصاديا مركزا رائدا في االقتصاد الحديث 3

4 Opposing forces - Need to reduce risk exposure - Need for Audit and Compliance - Need to protect government data - Government e-transformation - Proliferation of Technology - Higher Dependency on the Internet - Raise of social media 4

5 Information Security Strategy in the past decade De-centralized approach to Information Security Each entity is responsible for its own information security Allowed for very high pace of innovation and e-transformation Central IS Audit based on IS best practices and COBIT Gave Government Entities a lot flexibility while maintaining a good level of security Presentation Title Information Classification Label 5

6 The Challenge Various standards adopted by Government Entities (CoBIT, ISO,..etc) Varied levels of Maturity in Information Security Small-scale collaborative efforts Lack of Government-wide incident response measures 6

7 What is needed Unified and standardized regulation across Dubai Government Entities. Unified efforts for effective and implementable information security. A technology neutral Information Security framework. A centralized audit and compliance approach. 7

8 Dubai Government Information Security Resolution () H.H. Sheik Hamdan Bin Mohammed Al Maktoum, Dubai Crown Prince and Chairman of the Dubai Executive Council, issued a resolution regarding information security on 28 th May 2012 Resolution Number (13) of Dubai Government Executive Council in Year 2012 to develop an integrated strategy and unified policy for information security and systems in Dubai Government 8

9 Purpose of To establish a Government-wide regulatory approach to information security To ensure an appropriate level of Confidentiality, Integrity and Availability for information assets in Dubai Government Entities To identify the responsibilities required to maintain good information security practices 9

10 Purpose of To prescribe high-level mechanisms that help identify and prevent information security compromises in order to preserve the reputation of Dubai Government Entities To provide guidelines for all Dubai Government Entities to ensure business continuity and to minimize risks and damages 10

11 Scope of The is Applicable to: All Dubai Government Entities Employees, consultants, contractors and visitors, etc. Any Government information regardless of its type and medium (e.g. Printed, Electronic and Non-Electronic Verbal, Written, etc.) Entire entity, not only Information Technology 11

12 Structure The Information Security Regulation is broken down into 12 domains Each domain takes into consideration one or more major class of information security: Governance (sets high level requirements for structuring and managing information security) Operation (technical and/or non technical solutions an entity may use depending on the results of their risk assessment) Assurance (act as the quality assurance for the entity, ensuring that the implemented solution is working as intended) 12

13 Structure Domains: Reflect a key process within information security Objective: Reflects what is to be achieved from the domain Controls: Reflect what is to be applied to achieve the objective Sub Controls: Reflect subordinate detailed controls to the main control 13

14 Domains Structure Domain 1 Information Security Management and Governance Domain 2 Information and Information Asset Management Domain 3 Information Security Risk Management Domain 4 Incident Management Governance Domain 5 Access Control Domain 6 Operations, Systems and Communication Management Domain 7 Business Continuity Planning Domain 8 Information Systems Acquisition, Development and Management Domain 9 Environmental and Physical Security Domain 10 Roles and Responsibilities of Human Resources Operation Assurance Domain 11 Compliance and Audit Domain 12 Information Security Assurance and Performance Assessment 14

15 Structure example Domain 1 Information Security Management and Governance Information Security Classes Governance Objective: To emphasize the importance of having information security as part of the overall enterprise governance Controls: Main Control Roles and Responsibilities of Information Security: Sub Control Board of Directors: The board of directors should accept the responsibility of information security and provide commitment towards it. The entity's board of directors is assigned the responsibility of overseeing a properly managed and implemented information security program/management system and reviewing risk assessment reports. 15

16 Structure example Domain 7 Information Security Classes Business Continuity Planning Governance Operation Objective: Ensure that critical services and business processes within the entity are available Ensure that IT services and infrastructure can resist and recover from failures due to errors, planned attacks or disasters etc. Controls: Main Control Business Impact Analysis: Dubai Government Entity Develops and periodically conducts a business impact analysis for all information systems and processes in order to define and determine the impact of potential operational failures Sets and accounts the responsibility of the Business Impact Analysis to the senior management, with involvement from all affected divisions. 16

17 The Way Forward Finalizing the information security regulation and distributing it to all applicable Dubai Government Entities. Develop an effective strategy to strengthen the partnership and cooperation between government entities and the private sector in the field of information security. Ensure the existence of a contingency plan at the level of government and government entities to maintain the security of information and information systems. 17

18 The Way Forward Take the necessary measures to cope with innovative global solutions in the field of information security. Development, design and implementation of specialized training programs in the field of information security. Etc. 18

19 Thank You 19