Beruflich Dokumente
Kultur Dokumente
The 2nd version is the fruit of an ongoing process of revision and updating of information security
standards. The aim is to reflect the government’s constant commitment to ensuring full protection
of Abu Dhabi Government’s information, along with keeping abreast of the rapid changes and
development in the field of information technology.
The Information Security Policy is a pivotal part of the Abu Dhabi E-Government strategy, as
it aims at supporting both the design and coordination of services, as well as providing secure
government information through effective policies and standards. The Policy also oversees practices
of information security in government entities, and ensures that access to information systems and
their sources is controlled.
Moreover, the Policy constitutes a holistic framework that includes information security, both
within and beyond the electronic system range. Thus, such document sets out the standards and
requirements to be implemented for information security and protection.
As the managing entity of the Policy, the Abu Dhabi System and Information Center will oversee the
appropriate implementation of such program in order to achieve the desired objectives.
All government entities are to incorporate information security as an integral part in their
operational processes and activities, and ensure that security and risk related procedures are
indispensable drivers of decision-making policies in this regards.
We wish our endeavours will meet with success, so we can contribute to Abu Dhabi’s progress
and prosperity, under the wise leadership of His Highness Sheikh Khalifa bin Zayed Al Nahyan,
President of the United Arab Emirates, and His Highness General Sheikh Mohamed bin Zayed
Al Nahyan, Crown Prince of Abu Dhabi, Deputy Supreme Commander of the UAE Armed Forces
and Chairman of the Abu Dhabi Executive Council.
A review and update of this document will take place when changes require revising
the Information Security Policy. Such modifications may relate to changes in roles and
responsibilities, release of new legislation or technical guidance or the identification
of a new policy area. The General Secretariat of the Abu Dhabi Executive Council, in
consultation with appropriate parties, will approve all revisions to this Information
Security Policy. When approved, a new version of the Information Security Policy
will be issued, and all affected Abu Dhabi personnel will be informed of the changes.
Title Format
Heads of All Abu Dhabi Electronic copy; hard copy
Government Entities
Group
All Abu Dhabi Government Entity personnel, contractors, and third party
individuals directly or indirectly involved in the provision government services.
Contents
Definitions 1
CHAPTER 1 Introduction 7
1.1 Purpose 8
1.2 Scope 8
1.3 Compliance and Enforcement 10
1.4 Authorities 10
Availability Ensuring timely and reliable access to, and use of, information.
Information Security Management and functional domains that are grouped into
Domains 12 specific families (e.g. Information Security Governance,
Information asset Management etc.) in order to provide
the foundation for a comprehensive Information Security
Programme.
3
Abu Dhabi Information An information sharing body led by the Abu Dhabi Systems
Security Working Group and Information Centre and composed of Chief Information
(AD-ISGC) Security Officers of Abu Dhabi Government Entities. The
AD-ISGC provides a forum for two-way communication on
Information Security matters of relevance and applicability
across multiple Abu Dhabi Government Entities. The
AD-ISGC provides Entities with a mechanism for proposing
improvements to Information Security capabilities across
the government of Abu Dhabi.
Authorising Official Individual who has the ultimate responsibility to accredit all
Government services. This individual accepts responsibility
for the security of the service and accountability for any
adverse impacts to the entity if a breach of security occurs.
Recovery Point The maximum tolerable period in which data might be lost.
Objective (RPO)
5
CHAPTER 1
Introduction
Introduction
1.1 Purpose
The Information Security Policy is considered the primary reference for Abu Dhabi
Government Information Security. The purpose of this Information Security Policy is
to confirm what must be done to secure the Government of Abu Dhabi’s information
assets. In this respect, the Policy is supported by the Abu Dhabi Information Security
Standards.
1.2 Scope
This Information Security Policy is informed by a holistic view of Information Security,
not solely focusing Information Technology security. Therefore, the document
addresses the security of information within Information Technology systems and
also information that resides outside of Information Technology systems – forming
an overarching information system. To comprehensively address the various
security risks, this policy defines requirements for ensuring that critical Government
information is secure, regardless of the medium in which the information resides.
The success of the Information Security programme depends upon the collaboration
between local government entities and concerned federal government entities.
Abu Dhabi Systems & Information Centre (ADSIC) will coordinate the overarching
framework, strategy, and standards-setting, and will support to execute the
necessary government-wide controls needed to assist Entities in implementing
their Information Security programmes. Ultimately, Entities are responsible for
implementing the appropriate risk-based security controls to protect the information
under their respective cognizance.
Information Security Governance and Risk Management are the foundation of the
Information Security Programme. These disciplines require that entities protect
Government information assets in a manner commensurate with:
1. Compliance obligations
2. Specific risks that apply to the information assets
3. Business requirements for service or system
The magnitude of harm that could result from the loss, misuse, unauthorised access
to, or modification of such information should inform management decision making.
9
1.3 Compliance and Enforcement
Compliance with this Information Security Policy is mandatory. All Abu Dhabi
Government Entities must comply with the roles, responsibilities, and security
policies statements set forth in this document to ensure the confidentiality, integrity,
and availability of Government information. Further, Abu Dhabi Government Entities
must ensure that suppliers engaged by them adhere to the applicable obligations of
this Policy and its supporting Information Security Standards.
Abu Dhabi Government Information Systems that fail to comply with this policy may
not be allowed to process Government information or connect to other Government
systems.
1.4 Authorities
This Information Security Policy defines mandatory requirements for protecting
information. It is issued in accordance with:
• Federal Law No. 5 of 2012 on combating cyber crimes, which establishes the
definition of cyber crimes and associated penalties.
11
CHAPTER 2
Information Security Domains
It is the intention of the Abu Dhabi Government to protect its information assets
in a manner appropriate to the value of those information assets and the potential
harm that could be caused as a consequence of loss, misuse, unauthorised access
to, or unauthorised modification of, these assets. The Abu Dhabi Government has
put in place this Information Security Policy as a mechanism to provide direction
regarding the protection and stewardship of its information assets. Usage, storage,
transmission and management of those information assets must be undertaken in a
manner conformant with this Policy.
1. Entities shall set and review measurable objectives for their Information
Security programmes and make sufficient budgetary provisions to achieve those
objectives. Programme objectives should have a primary focus upon addressing
areas of most significant risk, achieving compliance obligations and address
business needs in a secure manner.
2. Entities shall ensure that suitable resourcing is provided for the organisation’s
Information Security programme to be transacted. Entities shall appoint a Chief
Information Security Officer (CISO) to undertake day-to-day management of
the Information Security programme, supported as necessary by additional
security-related roles.
15
2.3 Human Resources Security
Abu Dhabi Government Entities shall implement work design and working practices
that provide for personnel with secure access to government information assets.
Entities shall make provision for an appropriate segregation of duties, as determined
by risk assessment.
Before access is granted to Abu Dhabi Government information assets, Entities shall
ensure that personnel have been screened by appropriate authorities. Entities shall
ensure that personnel have the required information, training, skills, awareness and
competencies to process Government information in a manner appropriate to the
information’s classification.
17
2.9 Identity and Access Management
Abu Dhabi Government Entities shall ensure that access to information systems and
information assets in other forms is controlled. Users of information systems and
information processing facilities shall be appropriately authenticated, with access
and privileges granted on the basis of a verified business need. Entities shall be
responsible for monitoring access for appropriate usage and revoking access when
no longer required, or when deemed no longer appropriate. Users of information
systems and information processing facilities shall be informed as to their obligations
and responsibilities for Information Security.
4. Information systems shall be subject to regular data back-up and media shall be
handled securely.
19
CHAPTER 3
Roles & Responsibilities
This policy was developed in coordination with a number of Abu Dhabi Governments
Entities and in coordination with strategic partners i.e. local and federal UAE
Government entities, is required.
To ensure the objectives of this policy is met and to achieve increased efficiency
and effectiveness in implementation of Information Security, General Secretariat
Executive Council (GSEC), Abu Dhabi Systems and Information Centre (ADSIC),
Abu Dhabi Information Security Working Group (AD-ISWG) and all Abu Dhabi
Government Entities (ADGE) will have defined roles and responsibilities to
implement this policy.
ADSIC shall be responsible for leading the Government-wide Abu Dhabi Information
Security Programme. These responsibilities shall include, but not be limited to:
23
• Developing and submitting a regular report to the Executive Council – General
Secretariat regarding the progress and strategic direction of the Information
Security Programme. Furthermore, aggregation, consolidation and review of
Information Security status reports from Abu Dhabi Government Entities.
• Receiving programme status updates from ADSIC and cascading key points
within their own organisations.
The AD-ISWG will be a consultative and information exchange body. It will not be a
decision-making body.
25
Roles & Responsibilities
• Develop and maintain a register for tracking and managing the most significant
Information Security risks.
• Support ADSIC in the process of testing and evaluation of the entity information
security programme status and provide ADSIC with the requested inputs to
achieve the objective of testing and evaluation.
• Build the required capabilities to monitor the information systems and manage
Information Security incidents in the entity.