NESA, The National Electronic Security Authority, is a government body tasked with protecting UAE’s Critical Information Infrastructure (CII) and improving national cyber security. To achieve this, NESA has produced a set of standards and guidance for government entities in critical sectors. Compliance with these standards is mandatory for regulators, CII Operators, and other relevant participating stakeholders who support critical national services. NESA developed the National Cyber Risk Management Framework (NCRMF) based on best international practices and standards.
OBJECTIVES OF NCRM
- Introduces the Cyber Risk Assessor’s Guidelines with a pre-assessment checklist and outlines the framework components and glossary.
- Enhances the creation of National Cyber Risk Management Plan and explains how to implement different activities of the CII protection process and foster trust relationships between CII Operators, CIIP Working groups and NESA
- Addresses step-by-step process to conduct risk assessments and outlines any sector-specific risk management related requirements/criteria.
- Provides sector-specific requirements to identify critical services and associated business/ national impact.
- Provides a process to monitor risk treatment plan progress, CII operator internal self-assessments reports by establishing monitoring roles and responsibilities.
- Facilitate and encourage communications and best practices sharing between the CII operators and sector regulators/leaders.
- Provides tools and instructions to execute the Risk Assessments Methodology by determining threat levels and vulnerability severity ratings.
The GRC Solution can be configured to provide a centralized NCRMF framework to identify and analyze all risks in the cyber operations of an organization.
The GRC Solution provides timely, actionable information to proactively address national cyber risks against corporate objectives.
This is done by:
- Automating and rationalizing cyber risk management processes with support for a federated risk analysis within units.
- Giving detailed visibility in risks, risk factors, mitigating controls and metrics (KRIs, KPIs etc.) with rich context.
- Automating the entire IT risk management process and workflow, right from risk identification and assessment scoring to mitigation and reporting.
- Centralizing Repository of National Cyber Risk Management Framework and Content
- Defining NCRMF System Characterization
- Establishing a consistent Threat and Vulnerability Management
- Streamlining Cyber Risk Assessments
- Enhancing Risk Assessments from Multiple Perspectives
- Enabling UAE IA Control Design and Evaluations
- Automating the Investigation and Remedial Actions
HIGHLIGHTS OF THE SOLUTION
- A built-in reporting engine for analytics, business intelligence and executive role-based user- configurable dashboards.
- Real-time tracking and monitoring of multiple sources and ability to configure automatic notifications or ’early warnings’ by leveraging threat advisories from different vendors.
- Secure web-based access for all users with appropriate views and tabs to initiate action against identified threats, respond to events, manage to-do lists and assigned tasks, and view reports and dashboards.
- A harmonized risk-control library to achieve consistency and compatibility among different risk measurements, methods, procedures, schedules, specifications/ systems.
- Intuitive user tools such as visually appealing forms, easily navigable risk assessment tree hierarchies, visual drag and drop capabilities.
- A robust security model consistent with role-based access to risk-control assessments. These are as per CII operator specific roles and responsibilities.
- Capability to easily integrate with external systems to retrieve, store, and deliver risk data.