The Regulation aims to ensure confidentiality, integrity, and availability of information in government entities.
The Dubai Electronic Security Center (DESC), part of Digital Dubai, is preparing to launch Information Security Regulation (ISR) Version 3.0, building on the success of the previous edition (ISR Version 2.0) and offering additional enhancements and features.
The Regulation outlines key practices in information security to be adopted across all Dubai Government entities, along with requirements for information security controls, to ensure appropriate levels of confidentiality, integrity, and availability of information handled within Dubai Government entities. It aims to provide these entities with the standards to ensure continuity of critical business processes, minimize information security related risks, and prevent information security incidents.
His Excellency Yousuf Hamad Al Shaibani, CEO of the Dubai Electronic Security Center (DESC), said: “As Dubai and the UAE continue to make strides in their comprehensive digital transformation plans, we remain committed to our mission to ensure and constantly enhance cybersecurity services in Dubai, bringing them in line with the highest international standards. The Information Security Regulation is a powerful tool allowing us to achieve our strategic objectives. Effective implementation of ISR controls can ensure resilience in dealing with risks to information security, which, in turn, can boost consumer confidence, business performance, productivity, and national security.”
The information Security Regulation is broken down into 13 domains, each taking into consideration one or more major classes of information security: Governance, Operation, and Assurance. It is applicable to all Dubai Government Entities, including employees, consultants, contractors, and visitors who are not government employees but are engaged with the government through various means.
The new version of the ISR builds on the success of ISR Version 2.0, which recorded notable achievements, namely, it encouraged Government entities to use cloud services hosted within the UAE, and set the stage for international cloud service providers to offer their cloud services in the country. Furthermore, the number of service providers applying for DESC’s Cloud Service Provider (CSP) Security Standard certifications have increased, and entities have started strategically restructuring their organization to enhance security governance by making the information security function independent and having it report directly to Top Management. This, in turn, allows for better control and compliance. Increases were also reported in the usage of DESC services by the government entities, and in overall awareness in information security practices among government staff.
Meanwhile, Version 3.0 features enhancements, enabling it to address a range of key aspects, namely, it mandates that UAE Nationals be heading the information security function or to be the CISO, reporting to Top Management; introduces roles and responsibilities for Information Security Champions, Internal Auditors, and the Incident Response Team; and prevents the storage or processing of critical information outside the UAE, including cloud services.
Moreover, the new version introduces a problem management process requirement as part of incident management; minimum security and compliance requirements for external party and managed services; and data center security controls, in addition to incorporating cyber-resilience framework requirement as part of business continuity processes and aligning to relevant ISO frameworks and industry standards.