Solution Brief

NESA COMPLIANCE SOLUTION

Automate and rationalize cyber risk management processes
 OVERVIEW
NESA, The National Electronic Security Authority, is a government body
tasked with protecting UAEs Critical Information Infrastructure (CII) and
improving national cyber security. To achieve this, NESA has produced a
set of standards and guidance for government entities in critical sectors.
Compliance with these standards is mandatory for regulators, CII
Operators, and other relevant participating stakeholders who support
critical national services in the following sectors and subsectors:

Water and Electricity

Oil and Gas
Financial
Information System Telecommunications
Public Administration: National Public Administration, Emirate
Risk Reports & Heatmaps
Public Administration
Health
Chemical
Nuclear
Emergency Services

NESA developed the National Cyber Risk Management Framework (NCRMF) based on best international practices and
standards. The framework contains content on the Cyber Risk Assessors Guidelines and Tools, CIIP (Critical Information
Infrastructure Protection Policy), and IAS (Information Assurance Standards). It also includes guidelines on the National
Risk Management Plan, Risk Monitoring and Communications Methodology.

NESA lists 24 threats ordered by the percentage of breaches. It also documents the controls corresponding to each
threat. This threat-based approach to an information security standard is certainly a step in the right direction to bridge
the gap between IT risk and business risk.

OBJECTIVES OF NCRMF
Introduces the Cyber Risk Assessors Guidelines with a pre-assessment checklist and outlines the framework
components and glossary.

Enhances the creation of National Cyber Risk Management Plan and explains how to implement different activities of
the CII protection process and foster trust relationships between CII Operators, CIIP Working groups and NESA.

Addresses step-by-step process to conduct risk assessments and outlines any sector-specific risk management-
related requirements/criteria.

Provides sector-specific requirements to identify critical services and associated business/ national impact.
MSDSNESA_Oct15

Provides a process to monitor risk treatment plan progress, CII operator internal self-assessments reports by
establishing monitoring roles and responsibilities.

Facilitate and encourage communications and best practices sharing between the CII operators and sector
regulators/leaders.

Provides tools and instructions to execute the Risk Assessments Methodology by determining threat levels and
vulnerability severity ratings.
VALUE PROPOSITION
The MetricStream Solution provides the following benefits:

99 Centralizing Repository of National Cyber Risk Management Framework and Content: The Solution will help in
offering one-point access to multiple NCRMF frameworks, CIIP (Critical Information Infrastructure Protection Policy),
Cyber Risk Assessors Guidelines, National Cyber Risk Management Plan and the IAS (Information Assurance Standards).
The Pre-Assessment Checklist will provide a list of key documentation, configurations, manuals, etc. required to gain an
initial understanding of the systems in scope of the assessment. Users can pick and choose from any of these options to
manage their risks.

99 Defining NCRMF System Characterization: It will offer an asset repository management capability to define (Critical
Services, Function & and Business Criteria) and categorizes them based on NCRMF CIA categories (Confidentiality,
Integrity and Availability) and factors (such as operational and , financial) to record and report the business impact of the
resource, process or asset.

99 Establishing a consistent Threat and Vulnerability Management: It will enable the risk taxonomy to be defined in a
hierarchy to enable easy modeling of threats with agents, factors and vulnerabilities as listed in NESA. It will combine the
vulnerability severity-rating of an asset with the business criticality-rating of that Asset into a Combined Risk Rating (CRR)
thereby providing rich business and vulnerability context for vulnerability prioritization. The Combined Risk Rating can be
appropriately configured through a GRC Business Rule as required by your business.

99 Streamlining Cyber Risk Assessments: It will provide a central NESA risk management framework to simplify
identifying and analyzing all risks in the Cyber operations of an organization enabling informed decision making to
support business performance and overall management of business risks. The MetricStream Solution will enable a
systematic and closed-loop process for planning , scheduling , and executing risk assessments across the enterprise.

99 Enhancing Risk Assessments from Multiple Perspectives: Using the solution, companies can assess risks from
multiple dimensions, including top-down and bottom-up. This flexibility helps them create a mature risk profile, and
facilitates better transparency and visibility into cyber risks across the enterprise. It will enables implementation of
business and organization specific algorithms for constructing to construct inherent risk score formulas, control score
formulas, and residual risk score formulas. It also automatically updates residual risk scores reflecting the true risk
profile as deficiencies are addressed through corrective actions.

99 Enabling UAE IA Control Design and Evaluations: Once the key cyber risks are identified and prioritized, MetricStream
leverages UAE IA Standards & and Frameworks to enable companies to define a set of controls that mitigate those risks.
The Solution also allows associated policies and procedure documents to be attached for reference. Assessment plans
to evaluate and ensure the effectiveness of the controls can be designed and assigned to owners based on roles and
responsibilities. The system supports assessments based on predefined criteria and checklists and has a mechanism for
scoring, tabulating and reporting gaps.

99 Automating the Investigation and Remedial Actions: The Solution enables triggering automatic alerts and
notifications to appropriate personnel for initiating immediate remedial actions to contain the impact of the incident
and conduct investigations and root cause analyses. The investigation is driven by collaborative workflows that ensure
responsiveness by assigning investigative tasks to an individual or a team with due dates based on severity level of the
incident. Once a remediation is initiated, the case remains open till the action plan is carried out and results verified for
effectiveness. Managers can track the status of the incident.
THE METRICSTREAM IT GRC SOLUTION
The MetricStream IT GRC Solution, comprising of IT- Risk, Security Threat and Vulnerability Management, and Compliance
Apps, can be configured to provide a centralized NCRMF framework to identify and analyse all risks in the cyber
operations of an organization, enabling informed decision-making to support business performance and the overall
management of business risks.

The solution helps in automating and rationalizing cyber risk management processes with support for a federated
risk analysis within units. It gives detailed visibility in risks, risk factors, mitigating controls and metrics (KRIs, KPIs etc.)
with rich context. By automating the entire IT risk management process and workflow, right from risk identification
and assessment scoring to mitigation and reporting, MetricStream Solution provide timely, actionable information to
proactively address national cyber risks against corporate objectives.

Using the MetricStream Solution, organizations can also establish a consistent and repeatable threat management
process. The Solution provides an easy way to harness massive amounts of security data, correlate it with other risk
and compliance metrics, and transform it into meaningful dashboard reports to make informed decisions when
vulnerabilities occur.

The Solution provides built-in fields to capture the status of assets, and flag them as critical or non-critical, based on
various parameters. All asset information, including risks, IT control self-assessments, and control data is stored in a
centralized library in a many-to-many manner. Using the Solution, users can define and maintain a centralized structure
of the overall compliance and control hierarchy, including processes, asset repositories, risks for the processes and
assets, controls to mitigate the risks, and programs to audit and assess the controls and the impacts. The Solution
also includes associated policies and procedures, reporting requirements, and filing templates and schedules for the
regulations.

These Apps are all stand-alone Apps with the option to connect to other MetricStream Apps including MetricStream IT
Audit Management App, MetricStream IT Policy App, MetricStream Incident Management App, MetricStream Vendor Risk
Management App, and MetricStream Business Continuity Management App.

HIGHLIGHTS
99 A built-in reporting engine for analytics and business intelligence and executive role-based user- configurable
dashboards for graphical and drill down views of threats and vulnerabilities with risk assessments.

99 Real-time tracking and monitoring of multiple sources and ability to configure automatic notifications or early warnings
by leveraging threat advisories from different vendors, with the complete details of each threat, including the severity
of the threat, CVE ID, source of the threat, affected technologies, available controls, linking threats to GRC libraries and
possible remediation instructions.

99 Secure web-based access for all users with appropriate views and tabs to initiate action against identified threats,
respond to events, manage to-do lists and assigned tasks, and view reports and dashboards.

99 A harmonized risk-control library to achieve consistency and compatibility among different risk measurements, methods,
procedures, schedules, specifications/ systems. It also has an adaptive and flexible data model with configurable forms,
fields, reports, and workflows which enable businesses to easily model and configure complex projects.
 HIGHLIGHTS
99 Intuitive user tools such as visually appealing forms, easily navigable risk assessment tree hierarchies, visual drag and
drop capabilities to create risk scoring algorithms, dynamic roll up and roll down cyber security risk reports, added or
flagged visual indicators of risks, and dynamic tool tips.

99 A robust security model consistent with role-based access to risk-control assessments. These are as per CII operator-
specific roles and responsibilities.

99 Capability to easily integrate with external systems to retrieve, store, and deliver risk data

KPI/KRI Dashboard

Sample Dashboards Sample Compliance Dashboard

MetricStream is the market leader in enterprise-wide Governance, Risk, Compliance (GRC) and Quality Management
Solutions. MetricStream solutions are used by leading global corporations in diverse industries such as Financial Services,
Healthcare, Life Sciences, Energy and Utilities, Food, Retail, CPG, Government, Hi-tech and Manufacturing to manage their
MSDSNESA_Oct15

risk management programs, quality management processes, regulatory and industry-mandated compliance and other
corporate governance initiatives.

Email: info@metricstream.com
US: +1-650-620-2955 Europe: +41-615-880-111 UK: +44-203-318-8554
2015 Copyright MetricStream.
_

India: +91 80 4962 8000 UAE: +971 50 7217139 Australia: +61-870-708-014 All Rights Reserved.