UAE Information Assurance (IA) Regulation
In light of the rapidly evolving cyber threats, including hacktivists and organised cybercrime groups that challenge national security and compromise critical information assets, Telecommunications and Digital Government Regulatory Authority developed the ‘UAE Information Assurance Regulation’ to provide requirements to raise the minimum level of protection of information assets and supporting systems across all entities in the UAE. The regulation seeks a trusted digital environment throughout the UAE.
The IA Regulation provides management and technical information security controls for entities to establish, implement, maintain, and continuously improve information assurance. TDRA will designate the critical entities as per the UAE CIIP Policy to implement the IA Regulation and apply its requirements to the use, processing, storage and transmission of information or data, and the systems and processes used for those purposes. This includes information in physical or electronic form that may be owned, leased, or otherwise in the possession, custody, or control of the entities.
In particular, the IA Regulation provides:
- description of how information assurance is achieved at the national, sector and entity levels
- a risk-based approach for the implementation of the IA
- an outline of the roles and responsibilities of key stakeholders for the planning, development, implementation and ongoing monitoring and improvement of IA
- a reference catalogue of common information security controls to defend against common threats that exploit known cyber security vulnerabilities
- a realisation for sectorial requirements through the provision of specialised controls to address sector-specific information assurance requirements
- a phased implementation approach to address the most common threats, facilitate the incremental adoption of IA and optimise the value realised through implementation of IA
- a definition of compliance from the perspective of IA and describes the approach that will be adopted by TDRA to assess compliance
- an enabler for inter-entity and cross-sector communication to support information sharing and build national situational awareness.
Related links
- Critical Information Infrastructure Protection (CIIP) Policy (3.9 MB)
- The National Information Assurance Framework (5.9 MB)