Page 12 - Internal Auditor M.E. (English) - June 2018
P. 12
information Security
By: Melhem Khoury Nicolas
Information Security Regulation
(ISR) – what’s changed and why
it’s important Introduction
The Information Security Regulation (ISR) version 2 was relevant objectives are identified, so the Cyber Security
issued in 2017 by the Dubai Government to enhance the Strategy is cascaded through public sector, corporate
previous 2012 version. organisations, individuals, customers and users. While
corporate organisations have some autonomy in how to
The new version demonstrates leadership in information implement ISR requirements, the public sector is obligated
security and privacy in the Middle East. Given business to implement them. It is intended there will be audit and
services are heavily reliant on technology, this standard assurance activities to assure effective implementation of the
becomes the foundation for successful and secure business
services, with secure technology a critical component of ISRs.
business activities. ISR implementation is in DGEs that have already
Key changes in ISR version 2 are: implemented, fully or partially, ISR version 1 or another
Information Security Management System (ISMS). Most
• Emphasis on application of the regulation to all public sector DGEs have a pre-existing ISMS, meaning implementation
entities of the Dubai Government entities (DGEs). is a matter of assigning existing capabilities to meet the
requirements of ISR version 2. No new services or positions
• Inclusion of information security principles in all relevant will need to be introduced as a DGE can implement ISR
aspects of managing DGEs. version 2 with simple restructuring. The aim is to have ISR
implemented across all DGEs and then assure it is operating
• Involving DGE Director-Generals in their ISR steering effectively.
committee.
The diagram below illustrates how development of security
• Requiring a comprehensive risk assessment in DGEs. starts with a policy and ends with a specific control reviewed
• Separating the Chief Information Security Officer (CISO) by assurance activities. ISR version 2 is meticulously
from Information Technology (IT) and creating a new constructed as shown below.
reporting channel between CISO, top management and the
ISR steering committee.
• A new domain added to incorporate information security
requirements for cloud security.
While, ISR version 2 does not introduce fundamental changes
on how information security should be implemented in DGEs,
it does introduce enhanced management and governance
methods. This article provides commentary on the enhanced
standard.
The new Information Security Regulation (ISR) version 2
introduces enhanced information security and privacy.
ISR focus on governance
ISR version 2 implementation
The magnitude of effort to comply with ISR version 2 lies in
In September 2017, HH Sheikh Mohammed bin Rashid Al five steps as follows:
Maktoum, Vice-President and Prime Minister of the UAE and
Ruler of Dubai launched the Dubai Cyber Security Strategy • Information Security Steering Committee (ISSC)
which aims to strengthen Dubai’s position as a world leader constitution and sign-off on ISR policies and procedures.
in innovation, safety and security. A key component of this is • Successful collection of asset register information.
the ISRs.
• Design and implementation of a workable risk assessment
The purpose of the strategy is to build a secure information methodology.
society, specifically among DGEs. This means the Cyber
Security Strategy and information security objectives will • Conducting an entity-wide information security awareness
be an integral part of every service provided in DGEs. Five campaign.
guiding principles and five domains containing domain-
10 INTERNAL AUDITOR - MIDDLE EAST JUNE 2018
