Image: Nick Fewings (unsplash)
The Dubai Electronic Security Centre (DESC), a significant component of Digital Dubai, is on the brink of introducing the Information Security Regulation (ISR) Version 3.0, an upgrade that builds upon the accomplishments of the preceding edition (ISR Version 2.0), while also offering extra enhancements and features.
The forthcoming regulation sketches out major practices in data protection that are to be incorporated across all government units in Dubai. It stipulates requirements for data security measures that guarantee the appropriate confidentiality, integrity, and availability of data managed within these units.
The intent of this regulation is to equip these entities with the standards that ensure the continuity of pivotal business processes, reducing potential risks related to data security and averting data security incidents.
The CEO of the DESC, Yousuf Hamad Al Shaibani, made it clear that as Dubai and the UAE relentlessly advance their exhaustive digital transformation agendas, their dedication to their mission to consistently augment data safety services in Dubai, aligning them with the highest global standards, remains unwavering. The Information Security Regulation is a robust mechanism for accomplishing strategic goals. Effectual application of ISR controls can assure resilience in mitigating risks to data security, which could thereby amplify consumer trust, business performance, productivity, and national security.
The regulation is divided into 13 sectors, each addressing one or more primary classes of data security, namely: Governance, Operation, and Assurance. It is applicable to all government entities in Dubai, including employees, consultants, contractors, and visitors who are not government employees but interact with the government via various means.
The forthcoming version of the ISR expands upon the accomplishments of ISR Version 2.0, which garnered significant achievements.
The 3.0 version incorporates enhancements that allow it to confront key aspects. Specifically, it mandates that UAE Nationals assume leadership in data security functions or hold the role of the CISO, reporting to top-level management. It establishes roles and responsibilities for Information Security Champions, Internal Auditors, and the Incident Response Team. Also, it prohibits the storage or processing of critical information outside the UAE, including in cloud services.
Furthermore, the new version mandates a problem management process requirement as an element of incident management. It specifies minimum security and compliance needs for external parties and managed services. Data center security controls are introduced, and it embraces cyber-resilience framework requirements as part of business continuity procedures, while also aligning with relevant ISO frameworks and industry standards.