A  Government-­‐wide  Informa2on  

Security  Programme    

A  Case  of  the  Western  Region  Municipality,  Abu  Dhabi,  UAE  

(Presented  @  3rd  Annual  CISO  Asia,  Singapore  –  Nov.  2014)    Presented  by:  

Irene  Corpuz,  MSc,  ITIL,  PMP  

The  United  Arab  Emirates  

Agenda:  1.  Overview  of  theUnited  Arab  Emirates  2.  Abu  Dhabi  and  its  Vision  2030  3.  A  Unified  approach  to  InformaMon  

Security  through  the  ADSIC  InforaMon  Security  Program  

The  United  Arab  Emirates  

42  Years  In  just  42  years,  they  have  converted  the  dessert  into  gold...  

Oil  &  Gas  It  is  one  of  the  leading  producers  of  oil  in  the  middle  east  and  in  the  world

Popula2on  9.2Million  as  of  2013  

Very  ambi2ous  Targets...  And  they  don’t  remain  as  targets

EXPO  2020  UAE  won  the  bid  to  host  the  Expo  2020

The  7  Emirates  

ABU  DHA

BI  

UAE  is  the  home  of  some  of  the  unique  building  infrastructures  

Abu  Dhabi  –  UAE‘s  Capital  

Abu  Dhabi  Vision  2030  

7.  Enable Financial Markets to Become the Key Financiers of Economic Sectors and Projects

Abu Dhabi’s Seven Areas of Ongoing Economic Policy Focus 1.  Build an Open, Efficient, Effective and Globally Integrated Business

Environment

2.  Adopting Disciplined Fiscal Policies that are Responsive to Economic Cycles

3.  Establish a Resilient Monetary and Financial Market Environment with Manageable Levels of Inflation

4.  Drive Significant Improvement in the Efficiency of the Labour Market

5.  Develop a Sufficient and Resilient Infrastructure Capable of Supporting Anticipated Economic Growth

6.  Developing a Highly Skilled, Highly Productive Workforce

Unifying  the  approach  to  a  secured  infrastructure  across  ALL    Abu  Dhabi  Government  En22es  

Abu  Dhabi  Systems  &  Informa2on  Center  (ADSIC)  -­‐  2008  The   Centre   is   considered   as   the   governmental  party   that   owns   the   IT   agenda   of   the   Emirate,  and  has   the   authority   to   pracMce   the   following  competences:  1.  Supervise   the   implementaMon   of   the   e-­‐

Government   program   in   Abu   Dhabi  Government  enMMes  (ADGEs).  

2.  Develop   the   ADSIC   InformaMon   Security  Programme.    

Implemented  effecMvely,  it  can  be  instrumental  in  government  delivering  beYer  quality,  more  robust  and  higher  value  services  that  ciMzens  

and  residents  can  place  their  trust  in.  

Abu  Dhabi  Systems  &  Informa2on  Center  (ADSIC)  

And  the  following  standards:  1.  ISO  27001  2.  ISO  22301  3.  NIST  special  publicaMon  800-­‐53  Rev  30    

ADSIC  Informa2on  Security  Programme  

The  ADSIC  InformaMon  Security  Programme  is  developed  according  to,  and  guided  by,  the  exisMng  laws  and  policy  in  the  UAE:  

1.  ArMcle  24  of  Federal  Law  No.  1  of  2006  2.  Federal  Law  No.  5  of  2012    3.  Abu  Dhabi  Government  Policy  Agenda  2030  

ADSIC  Informa2on  Security  Programme  

13  

Abu  Dhabi  Municipality  (1962)  

Al  Ain  Municipality  (1967)  

Western  Region  Mun.  (2006)  

Department  of  Municipal  Affairs  (DMA)  

By  2016,  ALL  Abu  Dhabi  Government  EnMMes  (ADGE’s)  should  comply  and  

pass  the  requirements  according  to  the  ADSIC  Standards.  

 ImplemenMng  ADSIC  InformaMon  

Security  Standards  is  MANDATORY  

For  WRM,  where  does  the  challenge  come  from?  

Both  MunicipaliMes  have:  1.  applied  the  ADSIC  InformaMon  

Security  Programme  V1  since  2009  2.  been  cerMfied  by  ADSIC  based  on  

ADSIC  Standards  V1  3.  passed  the  ISO  27001  CerMficaMon    

For  WRM,  where  does  the  challenge  come  from?  

Where  is  the  Western  Region?  

Silaa Mirfa

Gyathi

Liwa

Madinat Zayed

Delma

18  

The  road  to  the  Western  Region  

19  

Will  these  people  care  about  informa2on  security?    

20  

What  is  important  to  the  ci2zens  at  the  western  region?  

21  

What  are  the  ini2al  but  significant  steps?  Services  Inventory  •  IdenMfy  all  the  services  provided  to  the  ciMzens  and  residents  in  the  region  

•  IdenMfy  all  internal  services  where  informaMon  security  is  criMcal  

InformaMon  Asset  Inventory  

• Out  of  the  services  provided,  what  kind  of  informaMon  are  generated  

InformaMon  Assets  are  classified  • Secret  • ConfidenMal  • Restricted  •   Public  

22  

What  kind  of  services  does  WRM  provide?    

There  is  a  government  ini2a2ve  to  put  the  services  in  the  Municipality  website  and  offer  as:  1.  eService  2.  mService  

Land  &  Property  

management  

Community  Services  

Building  Permits  

SpaMal  Data  (GIS)  

Parks  &  FaciliMes  

Roads  &  Infrastructure  

23  

Providing  services  electronically  (e-­‐service  in  different  levels:  

Listed  

StaMc  

InteracMve  

TransacMonal  

24  

Which  services  are  cri2cal  and  of  high  importance?  

• ERP  • Food  DistribuMon  System  

•  Land  &  Property  management  • GIS  

Maps,  satellite  pictures,  planning  maps  

Buildings,  rent  &  sales,  distribuMon  

Employees  confidenMal  informaMon  

Rice,  juices,  sugar,  coffee,  

water  &  various  stuff  

25  

Monitoring  the  Infrastructure  

• UTM  • SIEM  

• DLP  (Data  Loss  ProtecMon)  

• WAF  • IDPS  DetecMng  

and  Responding  to  AYacks  

Addressing  web-­‐based  threat  

Bringing  it  all  together  

ProtecMng  Data  

Resources  

26  

Other  ac2vi2es  performed  by  WRM  

Unified  IT  IS    Policy  &  IT  

Policy  Manual  Gap  Analysis  

VAPT  (public  IP’s  &  

ApplicaMon)  

DMA  IniMaMve  to  unify  all  IT  

InformaMon  Security  Policy  and  the  IT  

Policy  Manual  across  all  municipaliMes  

Self-­‐assessment  according  to  the  ADSIC  InformaMon  security  Control  

SpecificaMons  allowed  us  to  determine  the  gap  from  current  to  2016  objecMve  

ü  1.  Vulnerability  Assessment  was  conducted  by  aeCERT  on  all  PUBLIC  IP’s  of  WRM  

ü  2.VAPT  was  conducted  by  a  3rd  party  consultant  on  5  criMcal  applicaMons  of  WRM  

27  

The  Self-­‐Assessment  conducted  by  WRM  according  to  the  ADSIC  Programme?  

SecMon  I:  Summary  of  Work  to  date  

SecMon  2:  Control  Standards  &  SpecificaMons  

SecMon  3:  Control  

Ownership  

SecMon  4:  ImplementaMon  

Status  

SecMon  5:  Control  

EffecMveness  

28  

Once  completed,  the  outcome  of  the  Self-­‐assessment  is  a  sort  of  a  gap  analysis  which  will  indicate  the  weak  control  specificaMons  that  need  to  be  prioriMzed.  

What  will  be  the  outcome  of  self-­‐assessment?  

29  

           

           

           

           

           

           

30  

Accomplishments  &  future  plans  

2014  2015  

2016  

Training  &  Awareness  sessions  escalated  the  maturity  level  of  WRM  in  terms  of  Informa2on  Security  1.   Informa2on  Security  Cer2fied  Training  (HCT  CERT)  2.   Vulnerability  Assessment  conducted  by  aeCERT  3.   Gap  Analysis  4.   Risk  Assessment    

1.   Informa2on  Security  Cer2fied  Training  (HCT  CERT)  2.   Alignment  with  the  unified  approach  under  DMA  3.   Achieve  compliance  with  the  ADSIC  Standards  for  Highest  

Categoriza2on  Services  

Achieve  full  compliance  with  AD  Informa2on  Security  Standards  

31  

The  Direc2on  of  the  UAE  

32  

The  DUBAI  Smart  CITY  

On  5  March  2014,  H.  H.  Sheikh  Mohammed  bin  Rashid  Al  Maktoum  launched  a  strategy  to  transform  Dubai  into  a  'Smart  City'.  

Dubai  will  have  a  5-­‐D  control  room,  the  world's  largest  room  which  will  be  used  to  follow-­‐up  the  process  of  transforming  Dubai  into  a  Smart  City  and  to  oversee  the  government  projects  and  service  indicators;  such  as,  roads,  weather  condiMons  and  emergency  situaMons.    

 The  strategic  plan  to  transform  Dubai  into  a  Smart  city  is  based  on  three  basic  ideas:  communicaMon,  integraMon  and  cooperaMon.  

(Image is for illustration purposes only)

VISION  2030  

Conclusion  Challenges   include   preparing   the   federal   enMMes   with   the   necessary  technological  infrastructure,  reducing  the  digital  divide  by  driving  people  to  use  government   services   through   mobile   phones   and   portable   devices,   assuring  them  of  privacy  and  security  of  their  data.  

ABU  DHA

BI  

34  

Thank  you!  

Speaker’s Profile: Irene Corpuz is the Head of Planning & IT Security at the Western Region Municipality. She acquired her Masters of Science in IT at the University of Wales, UK. She has 25 years of diversified experience in IT including IT Security, Strategy & Service Management. Amongst her other certifications and expertise are in the field of Quality & Excellence (ISO & EFQM), Project Management & Knowledge Management and has gained the essential certifications on each specialization. Her certifications include: ITIL Service manager, ITIL V3 Foundation, CKM, EFQM Certified Assessor, ISO Lead Auditor (QMS & ISMS) and PMP. Irene has led strategic projects in all her fields of expertise in various projects in Asia, the UAE, UK and the USA, and has received prestigious awards including Gold Stevie Awards for Women in Business – Employee of the Year (New York, 2013); Bronze Stevie Awards for Women in Business – Executive of the Year (New York, 2013); Filipino Achiever in the UAE Award (UAE, 2014); and appreciations for her successful ISO & EFQM projects in the UK and Washington DC.

References  

http://www.thenational.ae/uae/government/spending-to-exceed-100bn-as-abu-dhabi-strives-towards-vision-2030 http://www.thenational.ae/business/abu-dhabi-2030-economic-vision http://www.thenational.ae/uae/technology/uae-in-cyber-security-talks-to-combat-latest-threats Abu Dhabi Economic Vision 2030 5th Abu Dhabi eGovt Forum – ADSIC http://gulfnews.com/in-focus/uae-national-day Master Plan for Dubai Expo 2020 on Track UAE Population Dubai Smart City Launched ADSIC Information Security Standards ADSIC Information Security Programme