Qatar is one of the wealthiest countries in the world. As cyber threats worldwide proliferate, shielding Qatar’s critical ICT infrastructure and systems has become a top priority for the Ministry of Transport and Communications (MOTC).
Qatar is enriching its cyber security efforts and working with counterparts across the globe to ensure open and secure cyberspace. To attain this, the Ministry formed the Qatar Computer Emergency Response Team (Q-CERT) in 2005.
About National Information Assurance (NIA) Policy
The National Information Assurance Policy is endorsed by the Ministry for adoption in all sectors.
The National Information Assurance Policy (v2.0) specifies a high-level information classification methodology for all government entities in Qatar, which allows for appropriate values to be ascertained, risks to be determined, and proper protection to be applied.
The Policy will provide the foundation and relevant tools to implement a full-fledged Information Security Management System (ISMS).
The NIA Policy applies to all Agencies and their corresponding information assets. Where the Agency has outsourced or subcontracted any processes or activities, they should ensure they comply with this manual and associated controls.
All Agencies shall be audited for compliance with this policy annually by a Certification body.
The NIA policy covers the following threats,
- Unauthorised Disclosure
- Unauthorised Modification
The policy guides organizations in classifying the impact of information security threats and the selection of appropriate mitigating controls, which allow to:
- Protect information assets,
- Effectively manage information security risks,
- Achieve regulatory compliance; and,
- Ease the compliance journey for international standard certifications (ISO 27001)
National Information Assurance Manual
The National Information Assurance Manual is to be used with the National Information Classification Policy [IAP-NAT-DCLS] and laws and regulations within the State of Qatar.
The manual provides baseline controls that an organization should implement at a minimum to protect their information system.
Security Governance and Security Processes shall be cover the following,
- Governance Structure[IG]
- Risk Management[RM]
- Third Party Security Management[TM]
- Data Labelling[DL]
- Change Management[CM]
- Personal Security[PS]
- Security Awareness[SA]
- Incident Management[IM]
- Business Continuity Management[BC]
- Logging & Security Monitoring[SM]
- Data Retention & Archival[DR]
- Audit & Certification[AC]
Security Controls shall be cover the following,
- Communication Security[CS]
- Network Security[NS]
- Information Exchange[IE]
- Gateway Security[GS]
- Product Security[PS]
- Software Security[SS]
- Security Usage Security[SU]
- Media Security[MS]
- Access control Security[AM]
- Cryptographic Security[CY]
- Portal devices & Working off-site Security[OS]
- Physical Security[PH]
This manual highlights the following security standards,
- Build a proper governance structure that a responsible Security Manager heads.
- Define a risk management procedure.
- Ensure that outsourced services remain compliant with the NIA Policy.
- Label all information assets correctly in order to maximize data protection efforts.
- The document, review and manage changes that deviate from assets’ configuration baselines.
- Ensure security processes cohere with processes upheld by HR.
- Invest in creating an ongoing security awareness program for the entire workforce.
- Appoint someone to serve as the head of the incident management program.
- Update the business continuity plan on an ongoing basis.
- Monitor for and log all instances of unauthorized data, app or system access.
- Settle on a data retention period that suits the information stored by the agency.
- Document all of these processes together in a written security policy.
- Submit an audit of the entire infrastructure at least once a year.
Network Intelligence invites you to join our upcoming webinar on National Information Assurance Policy V2.0 – Qatar.
Register here: https://bit.ly/NIA-Qatar-registration
The journey towards establishing a management system to process information securely is always challenging, as it requires the establishment of an overall culture change – aiming to be a security-aware culture, possible changes to existing processes, or the introduction of new processes or security requirements.
NIA acts as an umbrella framework for defining and guiding actions related to the organization’s information infrastructure security. The policy provides an overview of what it takes to protect the information effectively, information systems and networks. It gives an insight into the government’s strategy for safeguarding cyberspace in the State of Qatar.
Krithika Subramani is a creative and result-focused Cybersecurity Consultant working with Network Intelligence, with over 8+ years of experience in IT Compliance, IT Business Analysis, IT Services Delivery, Auditing and Implementing different IT standards like ISO 27001, SWIFT, AUA/KUA, NESA, SAMA, NCA ECC, PCI DSS etc. She holds the ITIL V3 Expert certification & ISO 27001 Lead Auditor certification. She is Self-driven with excellent organizational and interpersonal skills and advanced communication skills, leveraged in building positive relationships.