The Dubai Electronic Security Centre (DESC), part of Digital Dubai, is preparing to launch Information Security Regulation (ISR) Version 3.0, building on the success of the previous edition (ISR Version 2.0).
The Regulation outlines key practices in information security to be adopted across all Dubai Government entities, along with requirements for information security controls, to ensure appropriate levels of confidentiality, integrity, and availability of information handled within Dubai Government entities.
It aims to provide these entities with the standards to ensure continuity of critical business processes, minimise information security related risks, and prevent information security incidents.
Enhancing cybersecurity
Yousuf Hamad Al Shaibani, CEO of DESC, said: “As Dubai and the UAE continue to make strides in their comprehensive digital transformation plans, we remain committed to our mission to ensure and constantly enhance cybersecurity services in Dubai, bringing them in line with the highest international standards.
“ISR is a powerful tool allowing us to achieve our strategic objectives. Effective implementation of ISR controls can ensure resilience in dealing with risks to information security, which, in turn, can boost consumer confidence, business performance, productivity, and national security.”
ISR is broken down into 13 domains, each taking into consideration one or more major classes of information security: Governance, Operation, and Assurance. It is applicable to all Dubai Government Entities, including employees, consultants, contractors, and visitors who are not government employees but are engaged with the government through various means.
Cloud services
The new version of the ISR builds on the success of ISR Version 2.0, which recorded notable achievements, namely, it encouraged Government entities to use cloud services hosted within the UAE, and set the stage for international cloud service providers to offer their cloud services in the country.
Furthermore, the number of service providers applying for DESC’s Cloud Service Provider (CSP) Security Standard certifications have increased, and entities have started strategically restructuring their organisation to enhance security governance by making the information security function independent and having it report directly to Top Management. This, in turn, allows for better control and compliance. Increases were also reported in the usage of DESC services by the government entities, and in overall awareness in information security practices among government staff.
Meanwhile, Version 3.0 features enhancements, enabling it to address a range of key aspects, namely, it mandates that UAE Nationals be heading the information security function or to be the CISO, reporting to Top Management; introduces roles and responsibilities for Information Security Champions, Internal Auditors, and the Incident Response Team; and prevents the storage or processing of critical information outside the UAE, including cloud services.
Moreover, the new version introduces a problem management process requirement as part of incident management; minimum security and compliance requirements for external party and managed services; and data centre security controls, in addition to incorporating cyber-resilience framework requirement as part of business continuity processes, and aligning to relevant ISO frameworks and industry standards.