by Ben Smith
April 16, 2020
The United Arab Emirates’ (UAE) National Electronic Security Authority (NESA) Information Assurance Standards state that various information security policies should be in place across the organization and should comply with policies and with any other standards that are applicable. The NESA standard is a composite of many different types of controls and was derived from similar standards including the ISO 27000 standards, NIST 800, and CIS Controls. NESA makes it clear that organizations must comply with all applicable policies, laws, and compliance standards. Many controls require the organization to have appropriate policies covering all aspects of information security. In this report, the CISO can easily see the organization’s current compliance state with NESA and how that compares to other similar standards.
Ensuring that policies are in place for all aspects of information security is another goal of NESA. Tenable.sc provides visibility into system configuration policies and vulnerability management controls. The existence and adherence to policies are the result of a healthy vulnerability management program. Then, the CISO can see the frequency with which vulnerabilities of varying criticalities are discovered in the environment. The total number of vulnerabilities in the organization’s environment versus vulnerabilities that have been previously mitigated are easily understood.
NESA makes clear that organizations are to perform their own risk analysis. The organization should rely on a risk ranking for all risks in the environment and utilize that information when deciding patching necessity and frequency. Vulnerability Priority Rating (VPR) quantifies how urgently a vulnerability should be remediated. The CISO can easily understand risks that have been ranked this way versus CVSS score. All environments being different, the CISO or security consultant can also understand which risks have changed to a different criticality in the environment by looking at risks that have been recast.
A compliance program requires the ability to track success and failure over time. NESA requires the tracking of success and failure over time. The CISO can efficiently understand how compliance with the NESA standard has changed over a recent time frame by checking a trend line showing audit checks results.
Tenable.sc Continuous View (CV) is the market-defining On-Prem Cyber Exposure Platform. Tenable.sc CV provides the ability to continuously Measure an organization’s policy compliance. Tenable.sc provides customers with a full and complete Cyber Exposure platform for completing an effective Cyber Hygiene program prescribed by NESA standard.
This report contains:
Compliance Summary: The Compliance Summary chapter shows the executive team the overall state of compliance in their NESA environment. Starting with a trend line which shows the count of compliance issues over the past 25 days, the executive team is able to assess the organization's remediation efforts. Following the trend line is a matrix that quickly lays out the organization's adherence to NESA and similar compliance standards.
Vulnerability Summary: The Vulnerability Summary chapter shows the currently vulnerable systems on the network. The executive leadership utilizes the information in this chapter to understand where patch efforts should be prioritized. This chapter also shows how vulnerable the network currently is and can assist determining how well patch efforts are going.
Risk Summary: The Risk Summary chapter shows the executive team overall risk in their environment. The chapter establishes vulnerability counts over time along with a heat map to illustrate levels of risk across the network. It focuses on vulnerabilities discovered in the network in relation to their VPR score to show how many higher risk vulnerabilities are being detected. It then shows vulnerabilities in the environment that have been through a risk scoring process and have had their risk rating "recast."
Tenable.sc Continuous View (CV) is the market-defining On-Prem Cyber Exposure Platform. Tenable.sc CV provides the ability to continuously Measure an organization’s policy compliance. Tenable.sc provides customers with a full and complete Cyber Exposure platform for completing an effective Cyber Hygiene program prescribed by the NESA standard.