Information Security PolicyAbu Dhabi Government

Ve r s i o n 2 . 0

This document is developed by:

Information Security PolicyAbu Dhabi Government

Version 2.0

H.H. Sheikh Khalifa Bin Zayed Al NahyanPresident of the United Arab Emirates - Ruler of Abu Dhabi

H.H. General Sheikh Mohamed Bin Zayed Al NahyanCrown Prince of Abu Dhabi - Deputy Supreme Commander of the UAE Armed Forces

Chairman of Executive Council - Abu Dhabi

With the issuance of the 2nd version of the Information Security Policy, Abu Dhabi marks a new milestone of technology development, seeking the promotion of various work scopes across all sectors; in line with the high performance-based E-Government vision which provides internationally standardized services for all its users.

Abu Dhabi government has attached great importance to utilizing cutting edge technology in developing and enhancing the quality of public services, and hence facilitating the overall process for users. The emirate has achieved a remarkable progress in this area; the use and sharing of electronic information have become essential practices within all government entities. Such irreversible progress necessitated the establishment of a system to ensure the confidentiality, availability and integrity of government information, which ensued in the issuance of the 1st version of Information Security Policy in 2009.

The 2nd version is the fruit of an ongoing process of revision and updating of information security standards. The aim is to reflect the government’s constant commitment to ensuring full protection of Abu Dhabi Government’s information, along with keeping abreast of the rapid changes and development in the field of information technology.

The Information Security Policy is a pivotal part of the Abu Dhabi E-Government strategy, as it aims at supporting both the design and coordination of services, as well as providing secure government information through effective policies and standards. The Policy also oversees practices of information security in government entities, and ensures that access to information systems and their sources is controlled.

Moreover, the Policy constitutes a holistic framework that includes information security, both within and beyond the electronic system range. Thus, such document sets out the standards and requirements to be implemented for information security and protection.

As the managing entity of the Policy, the Abu Dhabi System and Information Center will oversee the appropriate implementation of such program in order to achieve the desired objectives.

All government entities are to incorporate information security as an integral part in their operational processes and activities, and ensure that security and risk related procedures are indispensable drivers of decision-making policies in this regards.

We wish our endeavours will meet with success, so we can contribute to Abu Dhabi’s progress and prosperity, under the wise leadership of His Highness Sheikh Khalifa bin Zayed Al Nahyan, President of the United Arab Emirates, and His Highness General Sheikh Mohamed bin Zayed Al Nahyan, Crown Prince of Abu Dhabi, Deputy Supreme Commander of the UAE Armed Forces and Chairman of the Abu Dhabi Executive Council.

Dr. Ahmed Mubarak Al MazroueiSecretary-General of the Executive Council

Document Configuration Control

Version Release Date Summary of Changes Release Approval

1.0 18 November 2008 First Draft GSEC

2.0 23 January 2013 New version reflecting revision to security domains

GSEC

A review and update of this document will take place when changes require revising the Information Security Policy. Such modifications may relate to changes in roles and responsibilities, release of new legislation or technical guidance or the identification of a new policy area. The General Secretariat of the Abu Dhabi Executive Council, in consultation with appropriate parties, will approve all revisions to this Information Security Policy. When approved, a new version of the Information Security Policy will be issued, and all affected Abu Dhabi personnel will be informed of the changes.

This document should be distributed to:

Title Format Heads of All Abu Dhabi Government Entities

Electronic copy; hard copy

This document should be stored:

Location Format Owner Abu Dhabi Portal Electronic copy ADSIC

ADSIC Website and Office Electronic copy; hard copy ADSIC

This document affects the following persons:

GroupAll Abu Dhabi Government Entity personnel, contractors, and third party individuals directly or indirectly involved in the provision government services.

Contents Definitions

CHAPTER 1 Introduction 1.1 Purpose 1.2 Scope 1.3 Compliance and Enforcement 1.4 Authorities

CHAPTER 2 Information Security Domains 2.1 Information Security Governance 2.2 Information Security Risk Management 2.3 Human Resources Security 2.4 Third Party Supplier Security 2.5 Information Security Training, Awareness and Communication 2.6 Information Asset Management 2.7 Physical and Environmental Security 2.8 Information Systems Design, Development and Testing 2.9 Identity and Access Management 2.10 Information Systems Operations Management 2.11 Information Security Incident Management 2.12 Information Systems Continuity Management

CHAPTER 3 Roles and Responsibilities 3.1 The General Secretariat of Abu Dhabi Executive Council 3.2 Abu Dhabi Systems & Information Centre (ADSIC) 3.3 Abu Dhabi Information Security Working Group (AD-ISWG) 3.4 Abu Dhabi Government Entities (ADGEs)

1

7881010

131515161616

17171718181919

21232324

25

Definitions

2

Definitions Information asset

Emirate

Information Security

Information Security Programme

Information Technology

Threat

Availability

Vulnerability

Abu Dhabi Government Entities

Information SecurityIncident

Privacy

Any knowledge or data, whether tangible or intangible, that has a value to the organisation, such as information or information systems.

The Emirate of Abu Dhabi.

Protection of information and information systems from unauthorised access, use, disclosure, disruption, modification or destruction in order to provide confidentiality, integrity, availability, authentication and non-repudiation.

A prioritised structuring and deployment of resources in order to achieve a defined set of Information Security capabilities.

Any equipment or interconnected system or subsystem of equipment that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data.

A potential cause of an unwanted incident, which mayresult in harm to a system or organization.

Ensuring timely and reliable access to, and use of, information.

A weakness within an asset, or group of assets, that can be exploited by one or more threats to manifest a risk.

Any Abu Dhabi Government department, agency, institution, authority, board, centre or wholly-owned company or subsidiary; whether its budget falls within the general budget of the government or is independent of it.

A single or series of unwanted or unexpected Information Security events that have a significant probability of compromising business operations or threatening Information Security.

The protection of personal data that are being processed and/or stored by the Abu Dhabi government entities.

Information Security Policy

3

Confidentiality

Integrity

Chief Information Security Officer (CISO)

Information Security Governance Committee (ISGC)

Third Party

Information Security Domains

The act of preserving authorised restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.

The act of guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity.

The Entity representative with day-to-day responsibility for managing the Entity’s Information Security Programme. The CISO works on behalf of the Information Security Governance Committee in ensuring that the organisation’s Information Security objectives are met. Depending upon the size of the organisation, its business processes and risk profile, the CISO role may be either full or part-time and may be augmented with additional information security personnel, as judged necessary by the Entity.

The decision-making and resource allocation body with primary accountability for ensuring the Entity’s Information Security programme is adequately designed, resourced, monitored and is appropriately aligned with other relevant initiatives. The ISGC should be composed of executive-level representatives equipped to provide sponsorship of the Entity’s Information Security programme and will provide oversight of the work of the Chief Information Security Officer and any supporting security organisation.

An individual or organisation that is recognised as being independent of the parties involved. In the context of these Standards, the term ‘third party’ will normally refer to third-party (i.e. external) suppliers, unless otherwise stated.

Management and functional domains that are grouped into 12 specific families (e.g. Information Security Governance, Information asset Management etc.) in order to provide the foundation for a comprehensive Information Security Programme.

Definitions

4

Abu Dhabi Information Security Working Group (AD-ISGC)

Risk

ADSIC

‘Production’ Information System

Controls

Information

An information sharing body led by the Abu Dhabi Systems and Information Centre and composed of Chief Information Security Officers of Abu Dhabi Government Entities. The AD-ISGC provides a forum for two-way communication on Information Security matters of relevance and applicability across multiple Abu Dhabi Government Entities. The AD-ISGC provides Entities with a mechanism for proposing improvements to Information Security capabilities across the government of Abu Dhabi.

Exposure to danger, harm or loss that may be encountered when vulnerability is exploited by a threat.

The level of impact on entity services, information assets, or individuals resulting from the potential consequences of a threat and the likelihood of that threat occurring.

Abu Dhabi Systems and Information Centre, established pursuant to Abu Dhabi Law No.18 of 2008.

Information systems transition through a lifecycle of: i) ‘Design’ ii) ‘Development’ iii) ‘Testing’ iv) ‘Production’ and v) ‘Retirement/Replacement’.

Information systems will have ‘Production’ status when being used to access, modify, transmit or store the entity’s business records.

The application of people, process and/or technology in support of transacting business and managing risk. Controls can be technical or managerial in nature.

Control Standards, as defined within the Abu Dhabi Information Security Standards, provide definition of control categories and types expected to be implemented by Abu Dhabi Government Entities.

Any communication or representation of knowledge such as facts, data or opinions in any medium or form; including textual, numerical, graphic, cartographic, narrative, audio or visual forms.

Information Security Policy

5

Authorising Official

Information System

Recovery Point Objective (RPO)

Recovery Time Objective (RTO)

Individual who has the ultimate responsibility to accredit all Government services. This individual accepts responsibility for the security of the service and accountability for any adverse impacts to the entity if a breach of security occurs.

A discrete set of information resources organised for the collection, processing, maintenance, use, sharing, dissemination or disposal of information, including manual processes or automated processes. This includes information systems used by an entity either directly or used by another entity, or a contractor under a contract with the entity that: (i) requires the use of such information systems; or (ii) requires the use, to significant extent, of such information systems in the performance of a service or the furnishing of a product. Information systems may generate outputs that are electronic and/or paper-based.

The maximum tolerable period in which data might be lost.

The maximum tolerable outage that can be accepted on an information system.

Definitions

CHAPTER 1 Introduction

8 Information Security Policy

Introduction

1.1 PurposeThe Information Security Policy is considered the primary reference for Abu Dhabi Government Information Security. The purpose of this Information Security Policy is to confirm what must be done to secure the Government of Abu Dhabi’s information assets. In this respect, the Policy is supported by the Abu Dhabi Information Security Standards.

Secondly, the Information Security Policy assigns ownership and accountability for meeting these Information Security requirements by delineating specific organisations that have a key role to play in meeting the government’s Information Security objectives. Fulfilling both of these objectives will enable Abu Dhabi to implement a robust Government-wide Information Security capability.

This Information Security Policy is supported by a series of accompanying publications including the Abu Dhabi Information Security Standards, along with associated guides, templates and checklists.

1.2 ScopeThis Information Security Policy is informed by a holistic view of Information Security, not solely focusing Information Technology security. Therefore, the document addresses the security of information within Information Technology systems and also information that resides outside of Information Technology systems – forming an overarching information system. To comprehensively address the various security risks, this policy defines requirements for ensuring that critical Government information is secure, regardless of the medium in which the information resides.

These Information Security requirements are structured in twelve (12) control groupings, herein referred to as Information Security Domains. These are as shown below.

Security Domain Name• Information Security Governance• Information Security Risk Management • Human Resource Security

9

• Third Party Supplier Security • Information Security Training, Awareness and Communication • Information Asset Management• Physical and Environmental Security• Information Systems Design, Development & Testing• Identity & Access Management• Information Systems Operations Management• Information Security Incident Management • Information Systems Continuity Management

The success of the Information Security programme depends upon the collaboration between local government entities and concerned federal government entities. Abu Dhabi Systems & Information Centre (ADSIC) will coordinate the overarching framework, strategy, and standards-setting, and will support to execute the necessary government-wide controls needed to assist Entities in implementing their Information Security programmes. Ultimately, Entities are responsible for implementing the appropriate risk-based security controls to protect the information under their respective cognizance.

Information Security Governance and Risk Management are the foundation of the Information Security Programme. These disciplines require that entities protect Government information assets in a manner commensurate with:

1. Compliance obligations2. Specific risks that apply to the information assets3. Business requirements for service or system

The magnitude of harm that could result from the loss, misuse, unauthorised access to, or modification of such information should inform management decision making.

All Government information requires some level of protection, however, certain information, because of its sensitivity, requires special management oversight. The determination of appropriate security controls and applicability of this special management oversight is determined through the classification of information and the three criteria types defined above.

Introduction

10 Information Security Policy

1.3 Compliance and EnforcementCompliance with this Information Security Policy is mandatory. All Abu Dhabi Government Entities must comply with the roles, responsibilities, and security policies statements set forth in this document to ensure the confidentiality, integrity, and availability of Government information. Further, Abu Dhabi Government Entities must ensure that suppliers engaged by them adhere to the applicable obligations of this Policy and its supporting Information Security Standards.

Abu Dhabi Government Information Systems that fail to comply with this policy may not be allowed to process Government information or connect to other Government systems.

Enforcement and monitoring of this policy is the responsibility of each Entity’s Information Security Governance Committee and Chief Information Security Officer.

1.4 AuthoritiesThis Information Security Policy defines mandatory requirements for protecting information. It is issued in accordance with:

• Article 24 of U.A.E Federal Law No. 1 of 2006 concerning Electronic Transactions & Commerce, which provides for Government to specify appropriate control processes and procedures to ensure the confidentiality, integrity, and availability of electronic records, payments and fees.

• Federal Law No. 5 of 2012 on combating cyber crimes, which establishes the definition of cyber crimes and associated penalties.

• Abu Dhabi Government Policy Agenda 2030.

11

Introduction

CHAPTER 2 Information Security Domains

14

It is the intention of the Abu Dhabi Government to protect its information assets in a manner appropriate to the value of those information assets and the potential harm that could be caused as a consequence of loss, misuse, unauthorised access to, or unauthorised modification of, these assets. The Abu Dhabi Government has put in place this Information Security Policy as a mechanism to provide direction regarding the protection and stewardship of its information assets. Usage, storage, transmission and management of those information assets must be undertaken in a manner conformant with this Policy.

To provide assurance that appropriate confidentiality, integrity, and availability provisions exist for government information assets and to ensure the effectiveness of information security programmes in the government entities, this Information Security Policy was organised into twelve Information Security domains as follows:

Information Security Policy

15

2.1 Information Security GovernanceAbu Dhabi Government Entities shall implement Information Security governance provisions to provide direction and oversight to their Information Security programmes. These programmes will be aligned to the requirements of this Policy and the Abu Dhabi Information Security Standards. These requirements include:

1. Entities shall set and review measurable objectives for their Information Security programmes and make sufficient budgetary provisions to achieve those objectives. Programme objectives should have a primary focus upon addressing areas of most significant risk, achieving compliance obligations and address business needs in a secure manner.

2. Entities shall ensure that suitable resourcing is provided for the organisation’s Information Security programme to be transacted. Entities shall appoint a Chief Information Security Officer (CISO) to undertake day-to-day management of the Information Security programme, supported as necessary by additional security-related roles.

3. Entities shall constitute an Information Security Governance Committee (ISGC) to provide executive-level oversight for the Entity’s Information Security Programme.

2.2 Information Security Risk ManagementAbu Dhabi Government Entities shall apply the Abu Dhabi Information Security Risk Management process in identifying, analysing, responding to and monitoring the most significant Information Security-related risks that the Entity faces. Entities shall be responsible for applying appropriate responses to the most significant risks having a bearing upon their Information Security posture. The responses should be aligned to the Control Standards found within the Abu Dhabi Information Security Standards.

Information Security Domains

16

2.3 Human Resources SecurityAbu Dhabi Government Entities shall implement work design and working practices that provide for personnel with secure access to government information assets. Entities shall make provision for an appropriate segregation of duties, as determined by risk assessment.

Before access is granted to Abu Dhabi Government information assets, Entities shall ensure that personnel have been screened by appropriate authorities. Entities shall ensure that personnel have the required information, training, skills, awareness and competencies to process Government information in a manner appropriate to the information’s classification.

2.4 Third Party Supplier SecurityAbu Dhabi Government Entities shall engage and manage third-party suppliers in a manner supportive of the goals and initiatives of the entity’s Information Security programme. Third party suppliers with involvement in the creation, usage, storage, transmission or destruction of Abu Dhabi government data should ensure that they understand the Information Security obligations imposed upon them by the engaging Abu Dhabi Government Entity and by the Abu Dhabi Information Security Programme.

2.5 Information Security Training, Awareness and CommunicationAbu Dhabi Government Entities shall provide the users of their information assets with training and awareness appropriate to the roles undertaken by those users. Entities shall ensure that the benefits and obligations of their Information Security programmes are actively promoted, with the view to building awareness of, and engagement with, the entity’s Information Security objectives.

Information Security Policy

17

2.6 Information Asset ManagementAbu Dhabi Government Entities shall identify and manage their information assets (including information systems). Records shall be kept regarding the purpose, location, ownership and usage of those information assets. Information assets shall be classified in accordance with the Abu Dhabi Information Classification framework. Information assets (both physical and logical) should have appropriate labelling applied to clearly communicate their information classification.

2.7 Physical and Environmental SecurityAbu Dhabi Government Entities shall provide protection to facilities used in the creation and management of information assets. The protections deployed shall:

1. Ensure critical or sensitive information processing facilities are physically protected from unauthorised access, damage, and interference; and

2. Equipment will be protected from physical and environmental threats.

2.8 Information Systems Design, Development and TestingAbu Dhabi Government Entities shall ensure that information systems and Information Security controls are designed, developed, implemented and tested in a manner aligned to achieving defined, specific Information Security requirements. The entity’s employees, contractors and third party organisations with access to sensitive information or systems shall adhere to this process in order to ensure:

1. Business requirements of new systems or enhancements specify security control requirements;

2. Systems and associated controls are designed, developed, implemented and tested against those requirements.

Information Security Domains

18

2.9 Identity and Access ManagementAbu Dhabi Government Entities shall ensure that access to information systems and information assets in other forms is controlled. Users of information systems and information processing facilities shall be appropriately authenticated, with access and privileges granted on the basis of a verified business need. Entities shall be responsible for monitoring access for appropriate usage and revoking access when no longer required, or when deemed no longer appropriate. Users of information systems and information processing facilities shall be informed as to their obligations and responsibilities for Information Security.

2.10 Information Systems Operations Management Abu Dhabi Government Entities shall ensure that:

1. Processes, technologies and facilities are in place to support the management of information systems while in production.

2. Information systems shall be monitored, against an agreed Information Security baseline, for performance and compliance with the Entity’s Information Security Policy.

3. Key information relating to information system activities shall be logged for future use.

4. Information systems shall be subject to regular data back-up and media shall be handled securely.

Information Security Policy

19

2.11 Information Security Incident ManagementAbu Dhabi Government Entities shall ensure Information Security-related incidents are identified, contained, managed and recovered from in a timely and effective manner. Entities shall ensure that potential incidents are anticipated and planning is undertaken to ensure an appropriate incident response can be mobilised when required. Significant incidents should be reported to ADSIC for appropriate support to be rendered to the Entity and to facilitate cross-governmental information sharing.

2.12 Information Systems Continuity ManagementAbu Dhabi Government Entities shall ensure that information systems and information processing facilities remain accessible for authorised use based on the business requirement. Entities shall develop resource and test an Information Systems Continuity Management Plan. For each information system a Recovery Point Objective (RPO) and Recovery Time Objective (RPO) shall be defined. Continuity planning shall seek to ensure that the agreed RPO and RTO targets can consistently be met, under a range of potential operational and exceptional circumstances. The Information System Continuity Management should be aligned with Business Continuity Management for the entity, where the latter exists.

Information Security Domains

CHAPTER 3 Roles & Responsibilities

22

This policy was developed in coordination with a number of Abu Dhabi Governments Entities and in coordination with strategic partners i.e. local and federal UAE Government entities, is required.

To ensure the objectives of this policy is met and to achieve increased efficiency and effectiveness in implementation of Information Security, General Secretariat Executive Council (GSEC), Abu Dhabi Systems and Information Centre (ADSIC), Abu Dhabi Information Security Working Group (AD-ISWG) and all Abu Dhabi Government Entities (ADGE) will have defined roles and responsibilities to implement this policy.

Information Security Policy

23

Roles & Responsibilities

3.1 The General Secretariat of Abu Dhabi Executive CouncilThe Executive Council shall provide strategic leadership and sponsorship for Information Security across the Government of Abu Dhabi. The Executive Council provides authority to the Abu Dhabi Systems and Information Centre (ADSIC) to manage the Government’s Information Security framework. It requires all Government Entities to adhere to this Policy and the Abu Dhabi Information Security Standards.

3.2 Abu Dhabi Systems & Information Centre (ADSIC)The Abu Dhabi Systems and Information Centre (ADSIC) shall provide leadership and strategic direction for the Information Security Programme. It shall develop the necessary policy, standards, and guidance to ensure Information Security is effectively implemented and maintained across Abu Dhabi.

ADSIC shall be responsible for leading the Government-wide Abu Dhabi Information Security Programme. These responsibilities shall include, but not be limited to:

• Development of a pan-governmental Information Security implementation strategy.

• Development, publication, maintenance and revision of: - Abu Dhabi Government Information Security Policy (this document) - Abu Dhabi Government Information Security Standards - Supporting implementation guides

• Strategic coordination of the Information Security programme will be undertaken by ADSIC. It will involve Abu Dhabi Government Entities, strategic partners and other stakeholders in order to achieve the programme’s objectives.

• Facilitating the activities of the Information Security Working Group.

• Designing and delivering Information Security-related training and awareness to Abu Dhabi Government Entities.

24

• Developing and submitting a regular report to the Executive Council – General Secretariat regarding the progress and strategic direction of the Information Security Programme. Furthermore, aggregation, consolidation and review of Information Security status reports from Abu Dhabi Government Entities.

• Communicating and escalating, as necessary, serious Information Security issues and concerns to the relevant entities.

• Undertaking assessments of Abu Dhabi Government Entities’ Information Security Programmes and the associated managerial controls.

• Undertaking assessment of Abu Dhabi Government Entities technical and information system-specific controls.

• Establishing and managing a Security Operations Centre (SOC) to monitor government systems and respond to incidents and events with possible direct, indirect or consequential impact on Abu Dhabi information assets.

3.3 Abu Dhabi Information Security Working Group (AD-ISWG)An information sharing body led by the Abu Dhabi Systems and Information Centre and composed of Chief Information Security Officers of Abu Dhabi Government Entities. The Working Group members shall be responsible for:

• Providing real-world feedback on implementation challenges and opportunities arising within Entities’ Information Security programmes.

• Receiving programme status updates from ADSIC and cascading key points within their own organisations.

Information Security Policy

25

• Reviewing draft Information Security documents, ahead of their publication.

• Sharing best practice concepts with peers in other government Entities.

The AD-ISWG will be a consultative and information exchange body. It will not be a decision-making body.

3.4 Abu Dhabi Government Entities (ADGEs)All Abu Dhabi Government Entities shall have the primary responsibility for ensuring that an Information Security programme is implemented and effective within their own organisations. They have explicit responsibility to protect government information assets within their custody.

Abu Dhabi Government Entities shall:

• Appoint a Chief Information Security Officer (CISO) and a supporting Information Security organisation (as necessary, based on the organisation’s size, complexity, service portfolio and risk profile).

• Constitute a regularly meeting Information Security Governance Committee to provide executive-level oversight of the Entity’s Information Security programme and the work of the CISO.

• Publish, and verify conformance with, an entity-level Information Security Policy.

• Undertake a categorisation of the entity’s information assets (including information systems) based on criticality and importance of those assets to the entity and to the government at large.

• Develop and resource an Information Security Programme Plan, which shall be subsidiary to the entity’s Strategic Plan.

Roles & Responsibilities

• Implement a set of common controls in support of the Information Security Programme Plan.

• Implement a set of tailored controls, as necessary, for individual information systems.

• Develop and maintain a register for tracking and managing the most significant Information Security risks.

• Train information users and information system administrators in their Information Security responsibilities.

• Communicate relevant information about threat, vulnerabilities and programme status to relevant stakeholders.

• Support ADSIC in the process of testing and evaluation of the entity information security programme status and provide ADSIC with the requested inputs to achieve the objective of testing and evaluation.

• Regularly report status to ADSIC, against the Information Security Programme Plan’s milestones and other key metrics.

• Build the required capabilities to monitor the information systems and manage Information Security incidents in the entity.

Roles & Responsibilities

Information Security Policy26