A Government-‐wide Informa2on
Security Programme
A Case of the Western Region Municipality, Abu Dhabi, UAE
(Presented @ 3rd Annual CISO Asia, Singapore – Nov. 2014) Presented by:
Irene Corpuz, MSc, ITIL, PMP
The United Arab Emirates
Agenda: 1. Overview of theUnited Arab Emirates 2. Abu Dhabi and its Vision 2030 3. A Unified approach to InformaMon
Security through the ADSIC InforaMon Security Program
The United Arab Emirates
42 Years In just 42 years, they have converted the dessert into gold...
Oil & Gas It is one of the leading producers of oil in the middle east and in the world
Popula2on 9.2Million as of 2013
Very ambi2ous Targets... And they don’t remain as targets
EXPO 2020 UAE won the bid to host the Expo 2020
The 7 Emirates
ABU DHA
BI
UAE is the home of some of the unique building infrastructures
Abu Dhabi – UAE‘s Capital
Abu Dhabi Vision 2030
7. Enable Financial Markets to Become the Key Financiers of Economic Sectors and Projects
Abu Dhabi’s Seven Areas of Ongoing Economic Policy Focus 1. Build an Open, Efficient, Effective and Globally Integrated Business
Environment
2. Adopting Disciplined Fiscal Policies that are Responsive to Economic Cycles
3. Establish a Resilient Monetary and Financial Market Environment with Manageable Levels of Inflation
4. Drive Significant Improvement in the Efficiency of the Labour Market
5. Develop a Sufficient and Resilient Infrastructure Capable of Supporting Anticipated Economic Growth
6. Developing a Highly Skilled, Highly Productive Workforce
Unifying the approach to a secured infrastructure across ALL Abu Dhabi Government En22es
Abu Dhabi Systems & Informa2on Center (ADSIC) -‐ 2008 The Centre is considered as the governmental party that owns the IT agenda of the Emirate, and has the authority to pracMce the following competences: 1. Supervise the implementaMon of the e-‐
Government program in Abu Dhabi Government enMMes (ADGEs).
2. Develop the ADSIC InformaMon Security Programme.
Implemented effecMvely, it can be instrumental in government delivering beYer quality, more robust and higher value services that ciMzens
and residents can place their trust in.
Abu Dhabi Systems & Informa2on Center (ADSIC)
And the following standards: 1. ISO 27001 2. ISO 22301 3. NIST special publicaMon 800-‐53 Rev 30
ADSIC Informa2on Security Programme
The ADSIC InformaMon Security Programme is developed according to, and guided by, the exisMng laws and policy in the UAE:
1. ArMcle 24 of Federal Law No. 1 of 2006 2. Federal Law No. 5 of 2012 3. Abu Dhabi Government Policy Agenda 2030
ADSIC Informa2on Security Programme
13
Abu Dhabi Municipality (1962)
Al Ain Municipality (1967)
Western Region Mun. (2006)
Department of Municipal Affairs (DMA)
By 2016, ALL Abu Dhabi Government EnMMes (ADGE’s) should comply and
pass the requirements according to the ADSIC Standards.
ImplemenMng ADSIC InformaMon
Security Standards is MANDATORY
For WRM, where does the challenge come from?
Both MunicipaliMes have: 1. applied the ADSIC InformaMon
Security Programme V1 since 2009 2. been cerMfied by ADSIC based on
ADSIC Standards V1 3. passed the ISO 27001 CerMficaMon
For WRM, where does the challenge come from?
Where is the Western Region?
Silaa Mirfa
Gyathi
Liwa
Madinat Zayed
Delma
18
The road to the Western Region
19
Will these people care about informa2on security?
20
What is important to the ci2zens at the western region?
21
What are the ini2al but significant steps? Services Inventory • IdenMfy all the services provided to the ciMzens and residents in the region
• IdenMfy all internal services where informaMon security is criMcal
InformaMon Asset Inventory
• Out of the services provided, what kind of informaMon are generated
InformaMon Assets are classified • Secret • ConfidenMal • Restricted • Public
22
What kind of services does WRM provide?
There is a government ini2a2ve to put the services in the Municipality website and offer as: 1. eService 2. mService
Land & Property
management
Community Services
Building Permits
SpaMal Data (GIS)
Parks & FaciliMes
Roads & Infrastructure
23
Providing services electronically (e-‐service in different levels:
Listed
StaMc
InteracMve
TransacMonal
24
Which services are cri2cal and of high importance?
• ERP • Food DistribuMon System
• Land & Property management • GIS
Maps, satellite pictures, planning maps
Buildings, rent & sales, distribuMon
Employees confidenMal informaMon
Rice, juices, sugar, coffee,
water & various stuff
25
Monitoring the Infrastructure
• UTM • SIEM
• DLP (Data Loss ProtecMon)
• WAF • IDPS DetecMng
and Responding to AYacks
Addressing web-‐based threat
Bringing it all together
ProtecMng Data
Resources
26
Other ac2vi2es performed by WRM
Unified IT IS Policy & IT
Policy Manual Gap Analysis
VAPT (public IP’s &
ApplicaMon)
DMA IniMaMve to unify all IT
InformaMon Security Policy and the IT
Policy Manual across all municipaliMes
Self-‐assessment according to the ADSIC InformaMon security Control
SpecificaMons allowed us to determine the gap from current to 2016 objecMve
ü 1. Vulnerability Assessment was conducted by aeCERT on all PUBLIC IP’s of WRM
ü 2.VAPT was conducted by a 3rd party consultant on 5 criMcal applicaMons of WRM
27
The Self-‐Assessment conducted by WRM according to the ADSIC Programme?
SecMon I: Summary of Work to date
SecMon 2: Control Standards & SpecificaMons
SecMon 3: Control
Ownership
SecMon 4: ImplementaMon
Status
SecMon 5: Control
EffecMveness
28
Once completed, the outcome of the Self-‐assessment is a sort of a gap analysis which will indicate the weak control specificaMons that need to be prioriMzed.
What will be the outcome of self-‐assessment?
29
30
Accomplishments & future plans
2014 2015
2016
Training & Awareness sessions escalated the maturity level of WRM in terms of Informa2on Security 1. Informa2on Security Cer2fied Training (HCT CERT) 2. Vulnerability Assessment conducted by aeCERT 3. Gap Analysis 4. Risk Assessment
1. Informa2on Security Cer2fied Training (HCT CERT) 2. Alignment with the unified approach under DMA 3. Achieve compliance with the ADSIC Standards for Highest
Categoriza2on Services
Achieve full compliance with AD Informa2on Security Standards
31
The Direc2on of the UAE
32
The DUBAI Smart CITY
On 5 March 2014, H. H. Sheikh Mohammed bin Rashid Al Maktoum launched a strategy to transform Dubai into a 'Smart City'.
Dubai will have a 5-‐D control room, the world's largest room which will be used to follow-‐up the process of transforming Dubai into a Smart City and to oversee the government projects and service indicators; such as, roads, weather condiMons and emergency situaMons.
The strategic plan to transform Dubai into a Smart city is based on three basic ideas: communicaMon, integraMon and cooperaMon.
(Image is for illustration purposes only)
VISION 2030
Conclusion Challenges include preparing the federal enMMes with the necessary technological infrastructure, reducing the digital divide by driving people to use government services through mobile phones and portable devices, assuring them of privacy and security of their data.
ABU DHA
BI
34
Thank you!
Speaker’s Profile: Irene Corpuz is the Head of Planning & IT Security at the Western Region Municipality. She acquired her Masters of Science in IT at the University of Wales, UK. She has 25 years of diversified experience in IT including IT Security, Strategy & Service Management. Amongst her other certifications and expertise are in the field of Quality & Excellence (ISO & EFQM), Project Management & Knowledge Management and has gained the essential certifications on each specialization. Her certifications include: ITIL Service manager, ITIL V3 Foundation, CKM, EFQM Certified Assessor, ISO Lead Auditor (QMS & ISMS) and PMP. Irene has led strategic projects in all her fields of expertise in various projects in Asia, the UAE, UK and the USA, and has received prestigious awards including Gold Stevie Awards for Women in Business – Employee of the Year (New York, 2013); Bronze Stevie Awards for Women in Business – Executive of the Year (New York, 2013); Filipino Achiever in the UAE Award (UAE, 2014); and appreciations for her successful ISO & EFQM projects in the UK and Washington DC.
References
http://www.thenational.ae/uae/government/spending-to-exceed-100bn-as-abu-dhabi-strives-towards-vision-2030 http://www.thenational.ae/business/abu-dhabi-2030-economic-vision http://www.thenational.ae/uae/technology/uae-in-cyber-security-talks-to-combat-latest-threats Abu Dhabi Economic Vision 2030 5th Abu Dhabi eGovt Forum – ADSIC http://gulfnews.com/in-focus/uae-national-day Master Plan for Dubai Expo 2020 on Track UAE Population Dubai Smart City Launched ADSIC Information Security Standards ADSIC Information Security Programme