Information Security Committee approves Dubai Government's Information Security Regulation

The Regulation is aimed at managing the Government Information Security Environment and devising controls for it by developing an integrated and unified policy for Information Security and Dubai Government Information Systems for the purpose of working in a secure and reliable environment for storing information; in addition to bolstering the society's awareness of the value of Information Security.

After being approved by the Committee, the Regulation will be circulated to Dubai Government entities for immediate implementation by these entities and their employees. The regulation will also be applicable to the customers of these entities who are entitled to access their information systems, as mandated by a resolution to this effect issued by Dubai Executive Council.

Commenting on the adoption of the Regulation, H.E. Ahmed Bin Humaidan, Chairman of the Committee, said: "Our local departments have exerted individual efforts in the Information Security field and were keen on ensuring the Information Security of Government customers and transactions based on their awareness of the fact that this issue is essential for increasing confidence among investors and businessmen by protecting their data and securing government transactions, particularly those conducted online." He pointed out that the approval of the Information Security Regulation unified these efforts as the Regulation combines information in a unified system for Information Security, Operation and Assurance at the level of the government entities in the emirate.

Bin Humaidan clarified that the approval of a unified system for Information Security would necessitate an integrated strategy to be devised from which a unified policy will emerge for protecting government information and information systems as well as the domains related to it, which are divided into three major classes - Information Security governance, Operation and Assurance - at the level of the Government entities in the emirate.

The Information Security Regulation consists of 12 domains, each of which takes into consideration one major class of information security or more, these being Governance, Operation and Assurance. The Governance domains set high-level requirements for structuring and managing information security; the Operation domains are technical and/or non-technical solutions an entity may use depending on the results of their risk assessment study; and the Assurance domains act as the quality assurance for the entity, ensuring that the implemented solution is working as intended.

The 12 domains which constitute the structure of information security are Information Security Management and Governance; Information Asset Management; Information Security Risk Assessment; Incident Management; Access Control; Operations, Systems and Communication Management; Business Continuity Planning; Information Systems Acquisition, Development and Management; Environmental and Physical Security; Human Resource Security; Compliance and Audit; and Information Security Assurance and Performance Measurement

The Information Security Committee was formed under the Executive Council Resolution No. 13 for 2012 with respect to Information Security at Dubai Government, which was published in Issue No. 360 of Dubai Government's Official Gazette, on May 27, 2012. The resolution assigned several powers to the Committee, including studying and adopting the information security system prepared by Dubai eGovernment, following up its implementation by Dubai Government entities, conducting regular review of the system as per the results of the entities' evaluation of the system, and ensuring the existence of an Information Security emergency plan at Government entities.