Upload
trinhduong
View
245
Download
2
Embed Size (px)
Citation preview
©2017
ACHIEVING COMPLIANCE WITH ISO 27001, 20000, AND UAE IA STANDARDS,
BUT AVOIDING THE SPEED BUMPS
Learn sound best practices with ISO 27001, ISO 20000, and the United Arab Emirates’
Information Assurance Standards. This session provides a road map to successful compliance
implementation and achieving these standards. Attendees will learn how to exceed expectations;
avoid speed bumps that will derail implementation including fraudulent landscapes, schemes and
challenges; and depart with the tools for a successful governance, risk, and compliance
programme as noted by the Middle East and expected by the UAE.
JOSÉ LUIS CARRERA JR., CFE, CIA, CRMA
Director, Governance, Risk, and Compliance
DarkMatter LLC
Abu Dhabi, United Arab Emirates
José Carrera has more than 20 years of international, strategic, progressive, and senior-level
management experience in internal auditing, HIPPA/HITECH, SOX, business integration and
process improvement, corporate governance, risk management, forensic accounting, and
information technology. His experience includes growing, developing, and directing internal
audit departments to achieve their utmost performance. Carrera also has significant experience
performing global enterprise-wide risk assessments for both business process and IT control
environments. He has also developed monitoring and risk and control reporting oversight,
controls transformation, and corporate governance functions and programs. Carrera’s additional
experience includes the development and implementation of global SOX, HIPPA/HITECH, and
internal audit programs where he led process training and change management initiatives to
ensure sustainability.
“Association of Certified Fraud Examiners,” “Certified Fraud Examiner,” “CFE,” “ACFE,” and the
ACFE Logo are trademarks owned by the Association of Certified Fraud Examiners, Inc. The contents of
this paper may not be transmitted, re-published, modified, reproduced, distributed, copied, or sold without
the prior consent of the author.
ACHIEVING COMPLIANCE WITH ISO 27001, 20000, AND UAE IA STANDARDS
2017 ACFE Fraud Conference Middle East ©2017 1
NOTES Disclaimer
This discussion is intended for educational purposes only
and does not replace independent professional judgement in
sizing information security governance, risk and strategy
activities for any given organization. Statements of fact and
opinions expressed are those of the presenter and not
DarkMatter LLC AE.
Achieving Compliance with ISO 27001, ISO 20000, and
UAE IA Standards, But Avoiding the Speed Bumps!
As a former Wells Fargo employee in the Operational
Compliance Department, I reflect back to September 20,
2016 when United States Senator Elizabeth Warren (D-
MA)—during the COMMITTEE ON BANKING,
HOUSING, AND URBAN AFFAIRS OPEN SESSION to
conduct a hearing titled “An Examination of Wells Fargo’s
Unauthorized Accounts and the Regulatory Response”—
faced off with Wells Fargo CEO John Stumpf—whose
massive bank appropriated customers’ information to create
millions of bogus accounts—had sharp questions and
comments. In particular:
“Here’s what really gets me about this, Mr. Stumpf.
If one of your tellers took a handful of $20 bills out
of the crash drawer, they’d probably be looking at
criminal charges for theft. They could end up in
prison.
“But you squeezed your employees to the breaking
point so they would cheat customers and you could
drive up the value of your stock and put hundreds of
millions of dollars in your own pocket.
ACHIEVING COMPLIANCE WITH ISO 27001, 20000, AND UAE IA STANDARDS
2017 ACFE Fraud Conference Middle East ©2017 2
NOTES “And when it all blew up, you kept your job1 you
kept your multi-multimillion-dollar bonuses, and
you went on television to blame thousands of $12-
an-hour employees who were just trying to meet
cross-sell quotas that made you rich. This is about
accountability. You should resign. You should give
back the money that you took while this scam was
going on, and you should be criminally investigated
by both the Department of Justice and the Securities
and Exchange Commission. This just isn’t right.”
Phew. It deems to ask the questions: Where was the
accountability? Where were the Three Lines of Defense?
Are the internal controls working as intended? What
standards did Wells Fargo not adhere to?
A wise man shared with me a best practice definition for
compliance, which simply states: “Compliance is either a
state of being in accordance with established guidelines or
specifications, or the process of becoming so.” This
definition of compliance can also encompass efforts to
ensure that organizations are abiding by both industry
regulations and government legislation.
Compliance at its core is a prevalent business concern,
partly because of an ever-increasing number of regulations
that require multinational organizations, companies, and
governmental organizations to be vigilant about
maintaining a full understanding of their regulatory
compliance requirements. Some prominent regulations,
1 October 20, 2016; BusinessWeek SAN FRANCISCO--(BUSINESS WIRE)--
Wells Fargo & Company (NYSE:WFC) announced today that Chairman and
Chief Executive Officer John Stumpf has informed the Company’s Board of
Directors that he is retiring from the Company and the Board, effective
immediately. www.businesswire.com/news/home/20161012006336/en/Wells-
Fargo-Chairman-CEO-John-Stumpf-Retires.
ACHIEVING COMPLIANCE WITH ISO 27001, 20000, AND UAE IA STANDARDS
2017 ACFE Fraud Conference Middle East ©2017 3
NOTES standards, and legislation with which organizations might
need to be in compliance include but are not limited to:
Sarbanes-Oxley Act (SOX) of 2002: SOX was
enacted in response to the high-profile Enron and
WorldCom financial scandals to protect shareholders
and the general public from accounting errors and
fraudulent practices in the enterprise. Among other
provisions, the law sets rules on storing and retaining
business records in IT systems.
Health Insurance Portability and Accountability Act
of 1996 (HIPAA): HIPAA Title II includes an
administrative simplification section that mandates
standardization of electronic health records systems and
includes security mechanisms designed to protect data
privacy and patient confidentiality.
Dodd-Frank Act: Enacted in 2010, this act aims to
reduce federal dependence on banks by subjecting them
to regulations that enforce transparency and
accountability in order to protect customers.
Payment Card Industry Data Security Standard
(PCI DSS): PCI DSS is a set of policies and
procedures created in 2004 by Visa, MasterCard,
Discover, and American Express to ensure the security
of credit, debit, and cash card transactions.
UAE Second Most Targeted Country by Hackers
After the United States
The UAE’s days of cyber security might be behind
it. The country is now the second most targeted
country after the United States, according to
statistics shown at the UAE’s new Cyber Security
Centre, which was opened on Monday. Dr. Mounes
Kayyali, CEO of security solutions provider The
Kernel, told Gulf News that Anonymous, an
international group of hacktivists (hacker +
activist), and other hacker groups have been
ACHIEVING COMPLIANCE WITH ISO 27001, 20000, AND UAE IA STANDARDS
2017 ACFE Fraud Conference Middle East ©2017 4
NOTES conducting cyber espionage attacks against state-
owned energy companies.
Source: Gulf News, 23rd of August 2016. Appeared also in
Gulf News Online.
Information Technology (IT) compliance guidelines also
vary by country. As a result, multinational companies must
be cognizant of the regulatory compliance requirements of
each country they operate within, and adhering to such
compliance guidelines is now a necessary engrained
process. “Not knowing” is not an excuse.
Fast forward. Here in the United Arab Emirates (UAE),
compliance standards are not an exception, they are the
norm. Case in point:
On June 25, 2014, the National Electronic Security
Authority (NESA) announced a number of key
strategies, standards, and policies to guide, direct,
and align UAE National cyber-security efforts all
across the UAE. As stated, this announcement came
in shortly after a meeting between senior officials
from the local and federal entities. These
organizations represented the entire spectrum of the
Emirates Government. Thereby, a “National Cyber
Security Program” was launched.
NESA is a UAE federal authority that operates
under the Supreme Council for National Security.
NESA is responsible for the advancement of the
nation’s cybersecurity, expanding cyber awareness
and creating a collaborative culture rooted in
information technology and innovation. In order to
achieve their objectives, NESA has devised a new
set of guidelines and standards for all government
entities and other entities identified as critical
ACHIEVING COMPLIANCE WITH ISO 27001, 20000, AND UAE IA STANDARDS
2017 ACFE Fraud Conference Middle East ©2017 5
NOTES national service by NESA. Therefore, compliance to
NESA is mandatory for all such entities.
“Cybersecurity is one of the biggest economic and
national security challenges countries face in the
twenty-first century. NESA was established in line
with this modern reality and as soon as the
Authority was in place, we immediately initiated a
thorough review of federal efforts to defend and
protect the nation’s information and communication
technology (ICT) infrastructure. This announcement
falls in line with the process we are currently
engaged in which puts all necessary policies and
standards in place to ensure a comprehensive
approach to securing the nation’s digital
infrastructure,” His Excellency Jassem Bu Ataba Al
Zaabi, Director General.
“NESA is committed to ensuring that all UAE
government bodies are made fully aware of the
responsibility they now have to meet the
requirements of these polices and in turn, what this
means in practice going forward,” he added.2
The new rules and regulations stem from a number of
existing nationwide security standards and guidance (such
as NIST and ISO 27001). NESA information pack includes
various documents, such as the Critical Information
Infrastructure Protection Policy (CIIP) and the Information
Assurance Standards (IAS).
2www.zawya.com/story/The_UAE_National_Electronic_Security_Aut
hority_Introduces_New_Strategies_Policies_and_Standards_to_Enhanc
e_the_Security_and_Resilience_of_UAE_ICT_Infrastructure-
ZAWYA20140625101324/
ACHIEVING COMPLIANCE WITH ISO 27001, 20000, AND UAE IA STANDARDS
2017 ACFE Fraud Conference Middle East ©2017 6
NOTES NESA compliance is mandatory for UAE government
entities and other entities identified as critical national
service by NESA. NESA compliance will be applicable and
mandatory for other participating stakeholders who support
and deal with critical national information or provide such
services. For other UAE entities, NESA recommends
following the guidelines on a voluntary basis in order to
participate in raising the nation’s minimum security level.
In a technology-driven world, cybercrimes are on the rise,
and organizations face a continual threat of critical data
loss (see below). This not only includes sensitive customer
data, but also relevant legal, statutory, financial, and
operational data necessary for business operations. This is
why NESA compliance requirements were introduced and
implemented, which include three distinct areas:
International Standards Organization (ISO) 27001, PCI
DSS, and Cyber Essentials.
Prevention Is Better Than a Cure—Take Steps
Now to Defend Against Cyber Attacks
The UAE is blazing a trail for the rest of the region
to follow but as the country has prospered, it has
also attracted the attention of cyber-criminals.
According to an article published by The National
newspaper in the UAE, a local bank came under
Cyber-Attack in 2015, and was forced to reissue
cards to its customers as a precaution against a
possible breach. This wasn’t an isolated incident,
attacks against the country have risen significantly
in the last few years.
Source: Arabian Business, 29th of November 2016.
The objective of NESA IA compliance is to adequately
maintain entity data safe, but also to:
ACHIEVING COMPLIANCE WITH ISO 27001, 20000, AND UAE IA STANDARDS
2017 ACFE Fraud Conference Middle East ©2017 7
NOTES Detect, respond, and recover from significant
cybersecurity incidents and reduce its impact on the
society and economy of the UAE;
Increase cybersecurity awareness among its workforce
and thus build a national capability;
Strengthen security of critical information infrastructure
and reduce corresponding risk levels; and
Foster collaboration at sector and national levels.
From a background perspective, it is necessary to understand the
difference between NESA’s two, as well as a sprinkling of the
National Institute Standards and Technology, United States
Department of Commerce Special Publication 800-53 Revision 4
Title: Security and Privacy Controls for Federal Information
Systems and Organizations SP800-53r4 (NIST SP800-53r4)
standard, compliance frameworks. The ISO 27001 provides
guidance in the form of additional and detailed documentation.
The NESA IA standards, on the other hand, contain a brief
guidance within different levels of control. They also summarize
the main components that constitute high-level controls and how
they should be applied.3
3 http://dx.doi.org/10.6028/NIST.SP.800-53r4
ACHIEVING COMPLIANCE WITH ISO 27001, 20000, AND UAE IA STANDARDS
2017 ACFE Fraud Conference Middle East ©2017 8
NOTES Here is what your new control system should be
designed to look like:
Source: NESA UAE Information Assurance Standards
NESA does not have a defined scope for its application,
adoption, and implementation. This gives critical
information infrastructure controllers the leverage to ensure
organization-wide NESA compliance in any way.
Sophisticated hackers do not limit themselves in the same
way as organizations. This means that organizations with
control deficiencies are susceptible to any hacking attempt
and malware from anyone across the globe. Such hackers
can attack any part of the business.
As such, NESA recommends that all small-to-large
organizations dealing in critical information begin
compliance with a thorough risk assessment procedure
(best practice situation). A risk assessment can assist in
ACHIEVING COMPLIANCE WITH ISO 27001, 20000, AND UAE IA STANDARDS
2017 ACFE Fraud Conference Middle East ©2017 9
NOTES identifying critical assets that need to be protected against
malware, at all costs. It also enables management to
address all security control-related issues without
implementing or pursuing an organization-wide NESA
compliance policy.
NESA adopts a tiered approach towards enforcing
compliance. This is not in any way dissimilar to the
merchant levels that have been dealt with under PCI DSS.
It is important to note that the level of risk your
organization will pose to the UAE information
infrastructure will determine how closely NESA regulators
will work with you.
Here is how NESA compliance’s audit framework will
work:
PROCEDURE IMPACT
Reporting Maturity based self-assessment by stakeholders in
line with mandatory vs. voluntary requirement
Auditing When appropriate, NESA (or NESA designate) can
audit stakeholders by requesting specific evidence in support of self-assessment report
Testing When appropriate, NESA (or NESA designate) can
commission tests of information security measures in place at stakeholders
Intervention In extreme cases, NESA should be able to directly intervene when an entity’s activities are leading to
unacceptable national security risks
NESA UAE information assurance standards provide
requirements to implement information security controls to
ensure protection of information assets and supporting
systems across all entities in the UAE. By complying with
NESA standards, organizations can ensure the following:
Protection of information assets
ACHIEVING COMPLIANCE WITH ISO 27001, 20000, AND UAE IA STANDARDS
2017 ACFE Fraud Conference Middle East ©2017 10
NOTES Compliance with UAE regulations
Mitigation of identified information security risks
Implementation of effective controls
Establishment of a secure culture by raising awareness
Securing National Critical Infrastructure
Multi-factor authentication is “the Solution” to
hacking, says DarkMatter
Interconnectivity – be it with respect to digital
networks in general or banking systems – needs to
take into consideration the cascading effects of a
breach and mitigate against them. Given that the
latest incident in Russia was likely orchestrated
using falsified client credentials, which has become
a preferred method of bank system hacking,
DarkMatter advises the use of multi-factor
authentication to accounts, so that even if a
password is stolen and access to a system gained,
the hackers are not able to access any accounts or
transactions without the corresponding token or
biometric for the account.
Source: CPI Financial, 5th of December 2016.
The UAE is a place where new and emerging technologies
are quickly adopted by government and enterprises in an
effort to drive business growth. As reported by Friday
Magazine,4 in the United Nations International
Telecommunications Union’s recent “Global
Cybersecurity Index” that was released back in January
2016, the UAE ranked among the top 20 countries in the
world. The index measures cybersecurity aspects such as
legislation, regulation and compliance, capacity building,
and international cooperation.
4 Friday Magazine, UAE government among top 20 in cybersecurity,
by Shiva Thekkepat.
ACHIEVING COMPLIANCE WITH ISO 27001, 20000, AND UAE IA STANDARDS
2017 ACFE Fraud Conference Middle East ©2017 11
NOTES Many industry experts say that the UAE government has
outpaced European countries in cybersecurity preparedness,
protecting the country’s critical national infrastructure in
the face of growing cyber threats. The country aspires to be
among the best countries in the world by 2021 through
UAE Vision 2021.
ISO/IEC 27001:2013
The general scope of the International Standard,
International Organization for Standardization (ISO),5 and
the International Electrotechnical Commission (IEC)6
under the joint ISO and IEC subcommittee 27001:2013:
Information technology – Security techniques – Information
security management systems – Requirements specify the
requirements for establishing, implementing, maintaining,
and continually improving an information security
management system within the context of the organization.
This International Standard also includes requirements for
the assessment and treatment of information security risks
tailored to the needs of the organization. The requirements
set out in this International Standard are generic and are
intended to be applicable to all organizations, regardless of
type, size, or nature.
The ISO/IEC 27000 family of standards helps
organizations keep information assets secure. Using this
family of standards will help your organization manage the
security of assets such as financial information, intellectual
property, employee details, or information entrusted to you
by third parties.
5https://en.wikipedia.org/wiki/International_Organization_for_Standard
ization 6https://en.wikipedia.org/wiki/International_Electrotechnical_Commiss
ion
ACHIEVING COMPLIANCE WITH ISO 27001, 20000, AND UAE IA STANDARDS
2017 ACFE Fraud Conference Middle East ©2017 12
NOTES ISO/IEC 27001 is the best-known standard in the family,
providing requirements for an information security
management system (ISMS). An ISMS is a systematic
approach to managing sensitive company information so
that it remains secure. It includes people, processes, and IT
systems by applying a risk management process.
It can help small, medium and large businesses in any
sector keep information assets secure.
Brief History
ISO/IEC 27001 is derived from BS 7799 Part 2, first
published as such in 1999.
BS 7799 Part 2 was revised by BSI in 2002,
explicitly incorporating the Plan-Do-Check-Act
cyclic process.
BS 7799 part 2 was adopted as ISO/IEC 27001
in 2005, with various changes to reflect its new
custodians.
The standard was extensively revised in 2013,
bringing it into line with the other ISO certified
management systems standards and dropping
explicit reference to Plan Do Check Act (see figure
on the following page).
ACHIEVING COMPLIANCE WITH ISO 27001, 20000, AND UAE IA STANDARDS
2017 ACFE Fraud Conference Middle East ©2017 13
NOTES
Source: Netgrowth Ltd 2014
A high-level outcome of adhering to the above standard is
if organizations that meet the standard may be certified
compliant by an independent and accredited certification
body on successful completion of a formal compliance
audit.
The structure of the ISO/IEC 27001:2013 is best depicted
by:
0: Introduction—The standard uses a process
approach.
1: Scope—It specifies generic ISMS requirements
suitable for organizations of any type, size, or nature.
ACHIEVING COMPLIANCE WITH ISO 27001, 20000, AND UAE IA STANDARDS
2017 ACFE Fraud Conference Middle East ©2017 14
NOTES 2: Normative references—Only ISO/IEC 27000 is
considered absolutely essential to users of ‘27001: the
remaining ISO 27000 standards are optional.
3: Terms and definitions—A brief, formalized
glossary, soon to be superseded by ISO/IEC 27000.
4: Context of the organization—Understanding the
organizational context, the needs and expectations of
“interested parties,” and defining the scope of the
ISMS. Section 4.4 states very plainly that “The
organization shall establish, implement, maintain, and
continually improve” a compliant ISMS.
5: Leadership—Top management must demonstrate
leadership and commitment to the ISMS, mandate
policy, and assign information security roles,
responsibilities and authorities.
6: Planning—Outlines the process to identify, analyze
and plan to treat information risks, and clarify
the objectives of information security.
7: Support—Adequate, competent resources must be
assigned, awareness raised, documentation prepared
and controlled.
8: Operation—A bit more detail about assessing and
treating information risks, managing changes, and
documenting things (partly so that they can be audited
by the certification auditors)
9: Performance Evaluation—Monitor, measure,
analyze and evaluate/audit/review the information
security controls, processes, and management system in
order to make systematic improvements where
appropriate.
10: Improvement—Address the findings of audits and
reviews (e.g. nonconformities and corrective actions),
make continual refinements to the ISMS
Annex A Reference control objectives and controls:
A little more in fact than a list of titles of the control
sections in ISO/IEC 27002. The annex is ‘normative’,
ACHIEVING COMPLIANCE WITH ISO 27001, 20000, AND UAE IA STANDARDS
2017 ACFE Fraud Conference Middle East ©2017 15
NOTES implying that certified organizations are expected to use
it, but they are free to deviate from or supplement it in
order to address their particular information risks.
Bibliography—Points readers to five related standards,
plus Part 1 of the ISO/IEC directives for more
information. In addition, ISO/IEC 27000 is identified in
the body of the standard as a normative (i.e., essential)
standard, and there are several references to ISO 31000
on risk management.
Sometimes a Picture Is Worth a Thousand Words
Source: DarkMatter
ISO/IEC 20000-1:2011
Further, ISO/IEC 20000 is another international IT
standard that allows organizations (Ministries) to
demonstrate excellence and prove best practice in IT
management. ISO/IEC 20000 Information technology --
Service management -- Part 1: Service management system
requirements ensures that companies can achieve evidence-
ACHIEVING COMPLIANCE WITH ISO 27001, 20000, AND UAE IA STANDARDS
2017 ACFE Fraud Conference Middle East ©2017 16
NOTES based benchmarks to continuously improve their delivery
of IT services.
ISO/IEC 20000 was released in 2005 based on the IT
infrastructure library (ITIL®) best practice framework, and
updated in 2011. By definition, Information Technology
Infrastructure Library, which is more formally known as
ITIL, is a set of practices for IT service management
(ITSM) that focuses on aligning IT services with the needs
of business. See the ITIL Framework below.
Source: Wikipedia
We have seen the adoption of ISO/IEC 20000 grow rapidly
within the UAE, especially within Abu Dhabi and Dubai.
This standard has most definitely become a competitive
differentiator for delivery of IT services.
ACHIEVING COMPLIANCE WITH ISO 27001, 20000, AND UAE IA STANDARDS
2017 ACFE Fraud Conference Middle East ©2017 17
NOTES We have seen the implementation of ISO/IEC 20000-
1:2011 used most recently by:
Organizations seeking services from service providers
and requiring assurance that their service requirements
will be fulfilled;
Organizations that require a consistent approach by all
its service providers, including those in a supply chain;
Service providers that intends to demonstrate its
capability for the design, transition, delivery and
improvement of services that fulfil service
requirements;
Service providers to monitor, measure and review its
service management processes and services;
Service providers to improve the design, transition,
delivery and improvement of services through the
effective implementation and operation of the SMS;
and
Assessors or internal auditors as the criteria for a
conformity assessment of a service provider’s SMS to
the requirements in ISO/IEC 20000-1:2011.
Brief History
ISO 20000 is comprised of two parts: a
specification for IT Service Management (ISO
20000-1) and a code of practice for service
management (ISO 20000-2).
ISO 20000 was formerly called BS 15000 and was
developed by the British Standards Institutions
(BSI), an international standards testing and
certification organization.
High-level benefits of ISO/IEC 20000 include but are not
limited to:
Achieve international best practice standards of IT
service management.
ACHIEVING COMPLIANCE WITH ISO 27001, 20000, AND UAE IA STANDARDS
2017 ACFE Fraud Conference Middle East ©2017 18
NOTES And bragging rights!
Develop IT services that are driven by and support
business objectives.
This is where a vast number of organizations have a
void in their ITSM.
Integrate people, processes, and technology to support
business goals.
Interaction and communication are key elements of
success.
Put in place controls to measure and maintain consistent
levels of service.
Operating and Service Level Agreements and
monitoring of these approved agreements.
ISO/IEC 20000 is compatible with ITIL to support
continual improvement.
The continual improvement lifecycle is critical to
maintain, best practice IT Services and engaged
employees!
Source: DarkMatter
The illustration above is known among ISO Lead Auditors
as a Service Management System, which includes the
ACHIEVING COMPLIANCE WITH ISO 27001, 20000, AND UAE IA STANDARDS
2017 ACFE Fraud Conference Middle East ©2017 19
NOTES service management processes. The service management
processes and the relationships between the processes can
be implemented in different ways by different service
providers. The nature of the relationship between a service
provider and the customer will influence how the service
management processes are implemented.
Closing Thoughts
Although ITIL was often addressed as a de facto standard
in IT Service Management, it is important to state
that ITIL is a best practices library; it is NOT a standard.
... As such, ITIL is not fully auditable. ISO/IEC 20000,
on the other hand, is an auditable norm.
Revealed: Cyber Attacks That Hit UAE in 2016
While businesses are investing more in
cybersecurity, hackers continue to penetrate
networks, pilfering money and customer data in the
process. Cash from ATM machines are still being
stolen. Fraudulent credit cards still abound and
highly sensitive data are still being leaked. The
UAE is no exception. According to Kaspersky Lab,
there were a number of cyber attacks detected in
the country this year. One of these threats targeted
automated teller machines (ATMs) in order to steal
money from bank customers.
Source: Gulf News, 19th of December 2016.
Putting It All Together
There was a significant amount of thought and effort to
create the UAE IA Standard. For example, the development
of the UAE IA Standards is based on regional and global
best practices including, but not limiting to:
ISO/IEC 27001:2005, 27002:2005, 27005:2005,
27010:2012, and 27032:2012
NIST 800-53 Revision 4
ACHIEVING COMPLIANCE WITH ISO 27001, 20000, AND UAE IA STANDARDS
2017 ACFE Fraud Conference Middle East ©2017 20
NOTES Abu Dhabi Systems & Information Centre (ADSIC)
Abu Dhabi Information Security Standards Version 1
and Version 2,
The Center for Internet Security Critical Security
Controls for Effective Cyber Defense is a publication of
best practice guidelines for computer security:
Top 20 Critical Security Controls for Effective Cyber
Defense Version 4.1 to name a few!
Pictorially, there is a comparison chart that has been
prepared by the development UAE IA team. Below is a
small snippet of the Comparison Chart.
Speed Bumps to Avoid on the Implementation.
Speed Bumps to Avoid on the implementation of UAE IA,
ISO 27001, or ISO 20000 for UAE specific organizations
include but are not limited to:
Critical foundation
Risk Assessment
Organizational business services
IT service catalogue
Map business and IT services
ACHIEVING COMPLIANCE WITH ISO 27001, 20000, AND UAE IA STANDARDS
2017 ACFE Fraud Conference Middle East ©2017 21
NOTES “Lone Assets”
One to many, Many to one
Scope and Objective
Must be defined and agreed upon
Mitigation of prior internal audits, risk assessments,
penetration testing and/or vulnerability assessments
Mitigation should be completed within 12 months;
if possible
Documentation availability and quality of
documentation
Substance versus Form
Cultural sensitivity
We live in and work in a multi-cultural environment
Service Level and Operation Level Agreements
Service Level Agreements: Key Performance
Indicators
Operation Level Agreements: Are “they” meeting
expectation
“Lost in Translation”
Frequency of control versus “we’ve done it”
Evidence, evidence, evidence
Thank you for your participation. Questions surrounding
this paper can be directed to:
José Luis Carrera Jr. , CFE, CIA, CRMA
Director of Governance, Risk, and Compliance
Level 15, Aldar HQ
Abu Dhabi, United Arab Emirates
T +971 2 417 1417
M +971 55 844 3620
darkmatter.ae