What is NESA compliance?

NESA stands for National Electronic Security Authority and is a government institution that aims to provide strict guidelines to organizations for keeping their information security capabilities in line with the highest standards to avoid cyber security threats. The compliance requirements are outlined under the UAE IA Standards which require organizations to implement them across their information assets and supporting systems.

Compliance with NESA UAE IA Standard is mandatory for all UAE government entities and other entities identified as critical by NESA as it is an essential facet of the National Cyber Security Strategy and also form as the minimum requirements for integrating the Sector and National platforms. For all other UAE entities, NESA highly recommends following the guidelines on a voluntary basis, in order to participate in raising the nation’s minimum security levels.

Organizations that follow these compliance requirements attain a number of benefits including greater protection of their information assets, and fostering of a security-conscious culture that is useful for overcoming emerging security challenges.

What does it involve?

The UAE IA Standards promote a life cycle approach for establishing, implementing, maintaining, and continuously improving Information Assurance. This life cycle approach ensures continual improvement of the UAE’s Information Assurance capabilities based on well-defined activities.

UNDERSTANDING an entity’s and/or sector’s information security requirements and the need to establish a policy and objectives for information security

CONDUCTING risk assessments, identifying appropriate risk treatment actions, and selecting controls to manage the risks

IMPLEMENTING and operating security controls to manage information security risks in the context of the entity’s or sector’s overall business risks

MONITORING and reviewing the performance and effectiveness of the information security processes and controls

ENSURING continual improvement based on objective measurements

NESA Compliance Management Solution (NESA- CMS)

A fully managed solution for cyber security compliance requirements of NESA UAE IA Standard.

Paladion’s sophisticated expertise in crafting information security solutions for enterprises gives it immense credibility to enable organization meet NESA compliance standards. Our NESA compliance service includes industry’s first fully managed solution called NESA Compliance Management Solution (NESA-CMS). This is a one-stop package for entities who are mandated by NESA to demonstrate their compliance to the stringent cyber security requirements of UAE IA standard. It is extremely important for entities to understand that demonstration of initial compliance will be start of journey and not the end. Entities will have to annually showcase their sustenance and increasing maturity of cyber security controls to the sector regulators and in turn to the NESA authorities. To this end, managed model of NESA-CMS will be an extended arm to the entities to efficiently and effectively manage their compliance requirements on an ongoing basis.

NESA Compliance Management Solution (NESA-CMS)

Managed NESA GRCManaged Network SecurityManaged Endpoint SecurityManaged Mobile Device SecurityManaged Security Testing & Monitoring
NESA GRC ImplementationPerimeter SecurityEndpoint protectionMobile Device ManagementSecurity Testing
NESA Compliance Audit SupportWeb ProxyDLPMobile Application ManagementSecurity Log collection & analysis
Ongoing Sustenance of NESA GRCURL FilterPatch ManagementMobile Email ManagementLog Retention
Wifi SecurityBackup ManagementMobile Browsing ManagementSecurity Incident Management
Remote User Access SecurityClient VPNMobile Endpoint protectionBrand Monitoring
Solution

NESA-CMS is composed of 5 main solution components

  • Solution Component 1- Managed NESA GRC
  • Solution Component 2- Managed Network Security
  • Solution Component 3- Managed Endpoint Security
  • Solution Component 4- Managed Mobile Device Security
  • Solution Component 5- Managed Security Testing & Monitoring

Paladion’s NESA compliance service includes implementing entities with the flexibility to choose the desired solution component as per their business & compliance requirement.

Solution Component 1- Managed NESA GRC

The implementation of Solution Component-1 is undertaken by Paladion in the following manner.

Phase 1
Phase 1
  • Project Planning
  • High Level Organization Understanding
  • Identify Critical Business Services
  • Identify information infrastructures
  • Supporting critical national service
Phase 2
Phase 2
  • Assess existing control gaps
    vis-a-vis NESA UAE IA Standard
  • Assess threats and vulnerabilities that can exploit the gaps
  • Identify Cybersecurity controls that will reduce the identified risks
  • Define a detailed NESA Implementation Roadmap
Phase 3
Phase 3
  • Implement P1 controls
  • Develop P2 Controls
  • Implement P2 Controls
  • Develop P3 Controls
  • Implement P3 Controls
  • Develop P4 Controls
  • Implement P4 Controls
  • Conduct comprehensive security awareness program
Phase 4
Phase 4
  • Assess performance of the implemented controls
  • Conduct pre-compliance audit
  • Assist organization in meeting compliance to NESA requirements during the compliance audit

Critical Services Identification

Gap & Risk Assessment

Control Development and Implementation

Control Effectiveness
Check and Audit

As part of Paladion’s NESA compliance service, we will develop and implement all P1, P2, P3 and P4 controls prescribed by NESA UAE IA Standard

Priority Level             P1 P2 P3 P4
Number of Control   39 69 35 45

The above set of 188 controls includes 35 mandatory controls referred as “Always Applicable”, as these represents requirements for instituting foundational IA capabilities within an entity. Given their foundational role, the “Always Applicable” security controls needs to be implemented by each relevant entity regardless of its risk assessment outcomes. Applicability of the rest of the 153 security controls are decided as an output of the risk assessment results by taking into consideration specific business and operational context of the entity.

Solution Component 2- Managed Network Security

The implementation of Solution Component-2 will include deployment & ongoing administration of perimeter security devices e.g. firewall & IPS, web proxies, URL filter, Wi-Fi security, remote user access security etc. Implementing entities will have the choice to select the desired technologies as per the technology requirements of UAE IA Standard.

Fully Managed Service
  • We provide ‘complete network security package’ in a service model – network security technologies bundled with comprehensive services for deployment, management, operations, monitoring and support delivered remotely from SOC.
  • You do not need to procure any technology, hardware or software and build security skills to deploy, manage and operate the network security set-up.
  • Simplified and fast deployment and operations in an opex model with zero upfront capex.
Continuous 24x7 Protection
  • We provide all the services that you need for robust protection of your network security on 24×7 basis – network security management, operations, monitoring & support – from our ISO 27001 certified SOC managed by security experts to give you peace of mind that your network is protected against threat at all times.
  • Pre-configured policies & rules based on industry best practices that can be modified to suit your requirements.
  • Easy policy & configuration management, monitoring, enforcement and prompt response in case of any events.
“Always-On” Unified Visibility and Control
  • You get access to our Customer Portal which provides real-time security and service delivery visibility into the status of your network security and other security services delivered by Paladion OnDemand. This helps you achieve a better & unified control on your security outcomes.
  • The portal can be accessed from anywhere at anytime, thus providing an “Always-on” 24x7x365 Visibility of your security posture with respect to network security. Customers can use the portal to view security and compliance reports & dashboards, and also interact with our SOC through ticketing workflow management.
Comprehensive Reports & Dashboards
  • Customer Portal provides you with a complete, 24×7 visibility into the outcomes of network security services, with on-demand reporting.
  • You get intuitive and easy-to-read reports and dashboards to meet the requirements of management as well as technical personnel and several regulatory requirements.
  • You can get to see several pre-built reports and dashboards, as well as define your own custom reports and dashboards.
Easily meet & demonstrate regulatory compliance
  • Our NESA compliance service enables you to demonstrate regulatory compliance to auditors quickly and effectively.
  • We have pre-built and customizable report templates that helps generate consolidated reports to meet compliance requirements.
  • You do not need to invest time and efforts to get data from several sources to be able to show compliance to auditors.

Network Security Service Capabilities

Firewall/IPS

Gateway Anti-virus

URL/Web Content Filtering

VPN & Roaming User Management

Web 2.0 Controls

Botnet Filtering

Geo-IP Filtering

Proxy Caching

Bandwidth Control

Reports & Dashboards

Policy and Configuration Management

Customer Portal

Wi Fi

Compliance & Monitoring

Solution Component 3- Managed Endpoint Security

The implementation of Solution Component-3 will include deployment & ongoing administration of endpoint protection solution, DLP agent, patch management solution, backup & restoration solution, client VPN etc. Implementing entities will have the choice to select the desired technologies as per the technology requirements of UAE IA Standard.

Fully Managed Service
  • We provide ‘complete network security package’ in a service model – network security technologies bundled with comprehensive services for deployment, management, operations, monitoring and support delivered remotely from SOC.
  • You do not need to procure any technology, hardware or software and build security skills to deploy, manage and operate the network security set-up.
  • Simplified and fast deployment and operations in an opex model with zero upfront capex.
Continuous 24x7 Protection
  • We provide all the services that you need for robust protection of your network security on 24×7 basis – network security management, operations, monitoring & support – from our ISO 27001 certified SOC managed by security experts to give you peace of mind that your network is protected against threat at all times.
  • Pre-configured policies & rules based on industry best practices that can be modified to suit your requirements.
  • Easy policy & configuration management, monitoring, enforcement and prompt response in case of any events.
“Always-On” Unified Visibility and Control
  • You get access to our Customer Portal which provides real-time security and service delivery visibility into the status of your network security and other security services delivered by Paladion OnDemand. This helps you achieve a better & unified control on your security outcomes.
  • The portal can be accessed from anywhere at anytime, thus providing an “Always-on” 24x7x365 Visibility of your security posture with respect to network security. Customers can use the portal to view security and compliance reports & dashboards, and also interact with our SOC through ticketing workflow management.
Comprehensive Reports & Dashboards
  • Customer Portal provides you with a complete, 24×7 visibility into the outcomes of network security services, with on-demand reporting.
  • You get intuitive and easy-to-read reports and dashboards to meet the requirements of management as well as technical personnel and several regulatory requirements.
  • You can get to see several pre-built reports and dashboards, as well as define your own custom reports and dashboards.
Easily meet & demonstrate regulatory compliance
  • Our NESA compliance service enables you to demonstrate regulatory compliance to auditors quickly and effectively.
  • We have pre-built and customizable report templates that helps generate consolidated reports to meet compliance requirements.
  • You do not need to invest time and efforts to get data from several sources to be able to show compliance to auditors.

End Point Security Service Capabilities

Anti-Virus/Anti-Malware

Firewall

Device Control

Application Control

Patch Management

Desktop Compliance

IT Usage/Productivity

Back-up (local)

Client VPN

Inventory

Policy and Configuration Management

Reports & Dashboards

Compliance & Monitoring

Customer Portal

Solution Component 4- Managed Mobile Device Security

The implementation of Solution Component-4 will include deployment & ongoing administration of mobile device management solution, mobile application management module, mobile email management module, mobile browsing management module, mobile endpoint protection module etc. Implementing entities will have the choice to select the desired technologies as per the technology requirements of UAE IA Standard.

Fully Managed Service
  • We provide ‘complete network security package’ in a service model – network security technologies bundled with comprehensive services for deployment, management, operations, monitoring and support delivered remotely from SOC.
  • You do not need to procure any technology, hardware or software and build security skills to deploy, manage and operate the network security set-up.
  • Simplified and fast deployment and operations in an opex model with zero upfront capex.
Continuous 24x7 Protection
  • We provide all the services that you need for robust protection of your network security on 24×7 basis – network security management, operations, monitoring & support – from our ISO 27001 certified SOC managed by security experts to give you peace of mind that your network is protected against threat at all times.
  • Pre-configured policies & rules based on industry best practices that can be modified to suit your requirements.
  • Easy policy & configuration management, monitoring, enforcement and prompt response in case of any events.
“Always-On” Unified Visibility and Control
  • You get access to our Customer Portal which provides real-time security and service delivery visibility into the status of your network security and other security services delivered by Paladion OnDemand. This helps you achieve a better & unified control on your security outcomes.
  • The portal can be accessed from anywhere at anytime, thus providing an “Always-on” 24x7x365 Visibility of your security posture with respect to network security. Customers can use the portal to view security and compliance reports & dashboards, and also interact with our SOC through ticketing workflow management.
Comprehensive Reports & Dashboards
  • Customer Portal provides you with a complete, 24×7 visibility into the outcomes of network security services, with on-demand reporting.
  • You get intuitive and easy-to-read reports and dashboards to meet the requirements of management as well as technical personnel and several regulatory requirements.
  • You can get to see several pre-built reports and dashboards, as well as define your own custom reports and dashboards.
Easily meet & demonstrate regulatory compliance
  • Our NESA compliance service enables you to demonstrate regulatory compliance to auditors quickly and effectively.
  • We have pre-built and customizable report templates that helps generate consolidated reports to meet compliance requirements.
  • You do not need to invest time and efforts to get data from several sources to be able to show compliance to auditors.

Network Security Service Capabilities

Mobile Device Management (MDM)

Mobile Application Management (MAM)

Mobile Email Management (MEM)

Mobile Browsing Management (MBM)

Mobile Kiosk Management (MKM)

Containerization and App Wrapping

Geo-Fencing

Location Tracking

BYOD Management

Anti-Virus

Policy and Configuration Management

Reports & Dashboards

Compliance & Monitoring

Customer Portal

Solution Component 5- Managed Security Testing & Monitoring

The implementation of Solution Component-5 will include deployment & ongoing administration of security testing e.g. penetration testing, application security testing, configuration review etc., security log collection & analysis on a 24/7 basis, log retention, security incident management support, brand monitoring service e.g. phishing monitoring, website malware monitoring etc. Implementing entities will have the choice to select the desired technologies as per the technology requirements of UAE IA Standard.

Fully Managed Service
  • We provide ‘complete network security package’ in a service model – network security technologies bundled with comprehensive services for deployment, management, operations, monitoring and support delivered remotely from SOC.
  • You do not need to procure any technology, hardware or software and build security skills to deploy, manage and operate the network security set-up.
  • Simplified and fast deployment and operations in an opex model with zero upfront capex.
Continuous 24x7 Protection
  • We provide all the services that you need for robust protection of your network security on 24×7 basis – network security management, operations, monitoring & support – from our ISO 27001 certified SOC managed by security experts to give you peace of mind that your network is protected against threat at all times.
  • Pre-configured policies & rules based on industry best practices that can be modified to suit your requirements.
  • Easy policy & configuration management, monitoring, enforcement and prompt response in case of any events.
“Always-On” Unified Visibility and Control
  • You get access to our Customer Portal which provides real-time security and service delivery visibility into the status of your network security and other security services delivered by Paladion OnDemand. This helps you achieve a better & unified control on your security outcomes.
  • The portal can be accessed from anywhere at anytime, thus providing an “Always-on” 24x7x365 Visibility of your security posture with respect to network security. Customers can use the portal to view security and compliance reports & dashboards, and also interact with our SOC through ticketing workflow management.
Comprehensive Reports & Dashboards
  • Customer Portal provides you with a complete, 24×7 visibility into the outcomes of network security services, with on-demand reporting.
  • You get intuitive and easy-to-read reports and dashboards to meet the requirements of management as well as technical personnel and several regulatory requirements.
  • You can get to see several pre-built reports and dashboards, as well as define your own custom reports and dashboards.
Easily meet & demonstrate regulatory compliance
  • Our service enables you to demonstrate regulatory compliance to auditors quickly and effectively.
  • We have pre-built and customizable report templates that helps generate consolidated reports to meet compliance requirements.
  • You do not need to invest time and efforts to get data from several sources to be able to show compliance to auditors.

Network Security Service Capabilities

Security Logs Collection/Aggregation

Security Logs Analysis

Configurable Log Retention

Multiple Devices/Platform Support

24×7 Monitoring from SOC

Incident Management Support

Risk-based Alert Prioritization

Alerts through Email/SMS/Portal

Detect both internal & external attacks

Daily Malware Monitoring for Websites

Rules & Alerts Management

Reports & Dashboards

Compliance & Monitoring

Customer Portal

In summary, NESA-CMS included in our NESA compliance service can provide implementing entities with a fully managed solution for cyber security compliance requirements of NESA UAE IA Standard. Paladion is privileged to offer consulting services to help organizations meet regional & international compliance regulations and laws. With over 15 years of experience in the information security industry, we know first-hand the challenges and errors in protecting your information assets.

Build an Active Cyber Defense Framework