How to Comply with NESA Encryption Requirements
28 Jul 2020 | Michael Waksman
Are you part of a company or organization based in the United Arab Emirates? If yes, then you need to comply with the new cybersecurity regulations issued by the National Electronic Security Authority (NESA). Finding out which parts of the legislation are relevant to your business can be time consuming, so in this blog we summarize what NESA says about encryption requirements and share 3 steps on how to build a NESA compliance strategy.
NESA in a Nutshell
- When?
The NESA regulations are already in effect. - What?
The new legislation is made up of multiple regulations – the most important being the Information Assurance Standards (IAS). The IAS consists of 188 security controls and standards to which all relevant organizations must comply. Objectives of the IAS:
- Strengthen security of UAE cyber assets
- Reduce corresponding risk levels
- Protect critical data infrastructure
- Improve threat awareness - Who?
NESA compliance is mandatory for:
- Government organizations
- Semi-government organizations
- Business organizations that are identified as part of the UAE critical infrastructure.
What Does NESA Say about Encryption?
Now you know a bit more about NESA, let’s have a look at what the regulations specifically have to say about encryption. In short, NESA states that organizations should implement a strong encryption program to protect data that is both at rest and in transit. The regulations also apply to data that is hosted elsewhere, such as third-party data centers.
- IS.5.7
“Cryptographic controls should be designed and implemented in a manner considerate of the Entity’s need to effectively monitor its information flow, retain oversight of information system usage and protect against malicious software.” - IS.5.9
“For data hosted at Entity-owned facilities, cryptographic protection should be applied to data at rest.” - IS.5.10
“Data hosted at non-Entity-owned facilities (e.g. third-party data centers) should be subject to strong encryption protection at rest.” - IS.5.11
“Data transmitted to/from non-Entity-owned facilities should be subject to strong encryption to protect data in motion.” - IS.11.11
“The Entity should employ gateway-to-gateway strong encryption to protect data traffic transiting between its physical locations, to limit the potential for eavesdropping.” - IS.12.6
“Data of classification ‘Confidential’ or above transiting over a wireless network should be subjected to strong encryption to protect its confidentiality.”
Prepare for NESA Compliance
By taking these 3 steps, you’ll ensure that your organization is ready to comply with NESA encryption requirements both now and in the future.
1. Understand where your data resides
You are always responsible for knowing where your data is, no matter if it’s saved on active computers, cloud services, or network storage. Keep track of your data flow and make sure you know where your information is stored, who is using it, and how it’s being used. This will make it much easier to put in place an encryption plan that takes into account the totality of your data.
2. Classify and get organized
Now you know where your data resides, it’s time to get organized. Create an inventory of all of your sensitive data. If multiple copies of data exist, make sure you take all of them into account. You should also put someone in charge of data protection to show your customers that you’re serious about protecting their sensitive information.
3. Use the right data protection software
The type of data that needs to be encrypted will help you decide what kind of software your organization should use. For example, if you want to be prepared in the event that one of your devices gets lost or stolen, you should invest in whole disk encryption to protect entire hard drives. The encryption of files, on the other hand, is the best solution to protect data in the event that somebody gains access to your device while it’s in use. For data in transit, you’ll want to use applications that are encrypted end-to-end. Typical email and basic text messaging aren’t safe for anything confidential.
How Encryption Works
The most effective cryptographic solution that organizations can implement is a complete data protection program. Basically, data encryption works by transforming your data into random characters that cannot be read without the correct key. To scramble and unscramble the text, data encryption makes use of sophisticated algorithms and different keys.
If you want to learn more about encrypting your data and how encryption works, check out our ultimate guide.
Michael Waksman has been serving as CEO of Jetico since 2011, more than doubling the size of the company during his tenure. He brings more than 20 years of communications, technology and leadership experience.
At Jetico, Waksman has lead creation of the corporate identity, raising global brand awareness, building a more commercially-driven team and initiating enterprise customer relations. Jetico has maintained a wide user base throughout the U.S. Defense community, in the global compliance market and for personal privacy.
Waksman served as vice-chairman of the Cyber Group for the Association of Finnish Defense and Aerospace Industries. Recognized as a security and privacy advocate, he is a frequent speaker at international events, occasionally on behalf of the Finnish cyber security industry. In 2012, Waksman was honored with The Security Network's Chairman's Award for fostering collaboration between the United States and Finland. As dual citizen, he is a native New Yorker and has been living in the Helsinki region for over 15 years.
