The case of the Western Region Municipality, Abu Dhabi was presented at the CISO Asia Summit in Singapore (2014). This presentation showcases both the ADSIC Information Security Programme and how the government entities benefit from such strategic initiative in Information Security.
The 7 Things I Know About Cyber Security After 25 Years | April 2024
Western Region Municipality Presentation at CISO Asia Summit 2014
1.
A
Government-‐wide
Informa2on
Security
Programme
A
Case
of
the
Western
Region
Municipality,
Abu
Dhabi,
UAE
(Presented
@
3rd
Annual
CISO
Asia,
Singapore
–
Nov.
2014)
Presented
by:
Irene
Corpuz,
MSc,
ITIL,
PMP
2. The
United
Arab
Emirates
Agenda:
1. Overview
of
theUnited
Arab
Emirates
2. Abu
Dhabi
and
its
Vision
2030
3. A
Unified
approach
to
InformaMon
Security
through
the
ADSIC
InforaMon
Security
Program
3. The
United
Arab
Emirates
42
Years
In
just
42
years,
they
have
converted
the
dessert
into
gold...
Oil
&
Gas
It
is
one
of
the
leading
producers
of
oil
in
the
middle
east
and
in
the
world
Popula2on
9.2Million
as
of
2013
Very
ambi2ous
Targets...
And
they
don’t
remain
as
targets
EXPO
2020
UAE
won
the
bid
to
host
the
Expo
2020
7. Abu
Dhabi
Vision
2030
7. Enable Financial Markets to Become the Key Financiers of Economic
Sectors and Projects
Abu Dhabi’s Seven Areas of Ongoing Economic Policy Focus
1. Build an Open, Efficient, Effective and Globally Integrated Business
Environment
2. Adopting Disciplined Fiscal Policies that are Responsive to Economic Cycles
3. Establish a Resilient Monetary and Financial Market Environment with
Manageable Levels of Inflation
4. Drive Significant Improvement in the Efficiency of the Labour Market
5. Develop a Sufficient and Resilient Infrastructure Capable of Supporting
Anticipated Economic Growth
6. Developing a Highly Skilled, Highly Productive Workforce
8. Unifying
the
approach
to
a
secured
infrastructure
across
ALL
Abu
Dhabi
Government
En22es
9. Abu
Dhabi
Systems
&
Informa2on
Center
(ADSIC)
-‐
2008
The
Centre
is
considered
as
the
governmental
party
that
owns
the
IT
agenda
of
the
Emirate,
and
has
the
authority
to
pracMce
the
following
competences:
1. Supervise
the
implementaMon
of
the
e-‐
Government
program
in
Abu
Dhabi
Government
enMMes
(ADGEs).
2. Develop
the
ADSIC
InformaMon
Security
Programme.
10. Implemented
effecMvely,
it
can
be
instrumental
in
government
delivering
beYer
quality,
more
robust
and
higher
value
services
that
ciMzens
and
residents
can
place
their
trust
in.
Abu
Dhabi
Systems
&
Informa2on
Center
(ADSIC)
11. And
the
following
standards:
1. ISO
27001
2. ISO
22301
3. NIST
special
publicaMon
800-‐53
Rev
30
ADSIC
Informa2on
Security
Programme
The
ADSIC
InformaMon
Security
Programme
is
developed
according
to,
and
guided
by,
the
exisMng
laws
and
policy
in
the
UAE:
1. ArMcle
24
of
Federal
Law
No.
1
of
2006
2. Federal
Law
No.
5
of
2012
3. Abu
Dhabi
Government
Policy
Agenda
2030
14. Abu
Dhabi
Municipality
(1962)
Al
Ain
Municipality
(1967)
Western
Region
Mun.
(2006)
Department
of
Municipal
Affairs
(DMA)
15. By
2016,
ALL
Abu
Dhabi
Government
EnMMes
(ADGE’s)
should
comply
and
pass
the
requirements
according
to
the
ADSIC
Standards.
ImplemenMng
ADSIC
InformaMon
Security
Standards
is
MANDATORY
For
WRM,
where
does
the
challenge
come
from?
16. Both
MunicipaliMes
have:
1. applied
the
ADSIC
InformaMon
Security
Programme
V1
since
2009
2. been
cerMfied
by
ADSIC
based
on
ADSIC
Standards
V1
3. passed
the
ISO
27001
CerMficaMon
For
WRM,
where
does
the
challenge
come
from?
17. Where
is
the
Western
Region?
Silaa Mirfa
Gyathi
Liwa
Madinat Zayed
Delma
19. 19
Will
these
people
care
about
informa2on
security?
20. 20
What
is
important
to
the
ci2zens
at
the
western
region?
21. 21
What
are
the
ini2al
but
significant
steps?
Services
Inventory
• IdenMfy
all
the
services
provided
to
the
ciMzens
and
residents
in
the
region
• IdenMfy
all
internal
services
where
informaMon
security
is
criMcal
InformaMon
Asset
Inventory
• Out
of
the
services
provided,
what
kind
of
informaMon
are
generated
InformaMon
Assets
are
classified
• Secret
• ConfidenMal
• Restricted
•
Public
22. 22
What
kind
of
services
does
WRM
provide?
There
is
a
government
ini2a2ve
to
put
the
services
in
the
Municipality
website
and
offer
as:
1. eService
2. mService
Land
&
Property
management
Community
Services
Building
Permits
SpaMal
Data
(GIS)
Parks
&
FaciliMes
Roads
&
Infrastructure
24. 24
Which
services
are
cri2cal
and
of
high
importance?
• ERP
• Food
DistribuMon
System
• Land
&
Property
management
• GIS
Maps,
satellite
pictures,
planning
maps
Buildings,
rent
&
sales,
distribuMon
Employees
confidenMal
informaMon
Rice,
juices,
sugar,
coffee,
water
&
various
stuff
25. 25
Monitoring
the
Infrastructure
• UTM
• SIEM
• DLP
(Data
Loss
ProtecMon)
• WAF
• IDPS
DetecMng
and
Responding
to
AYacks
Addressing
web-‐based
threat
Bringing
it
all
together
ProtecMng
Data
Resources
26. 26
Other
ac2vi2es
performed
by
WRM
Unified
IT
IS
Policy
&
IT
Policy
Manual
Gap
Analysis
VAPT
(public
IP’s
&
ApplicaMon)
DMA
IniMaMve
to
unify
all
IT
InformaMon
Security
Policy
and
the
IT
Policy
Manual
across
all
municipaliMes
Self-‐assessment
according
to
the
ADSIC
InformaMon
security
Control
SpecificaMons
allowed
us
to
determine
the
gap
from
current
to
2016
objecMve
ü 1.
Vulnerability
Assessment
was
conducted
by
aeCERT
on
all
PUBLIC
IP’s
of
WRM
ü 2.VAPT
was
conducted
by
a
3rd
party
consultant
on
5
criMcal
applicaMons
of
WRM
27. 27
The
Self-‐Assessment
conducted
by
WRM
according
to
the
ADSIC
Programme?
SecMon
I:
Summary
of
Work
to
date
SecMon
2:
Control
Standards
&
SpecificaMons
SecMon
3:
Control
Ownership
SecMon
4:
ImplementaMon
Status
SecMon
5:
Control
EffecMveness
28. 28
Once
completed,
the
outcome
of
the
Self-‐assessment
is
a
sort
of
a
gap
analysis
which
will
indicate
the
weak
control
specificaMons
that
need
to
be
prioriMzed.
What
will
be
the
outcome
of
self-‐
assessment?
30. 30
Accomplishments
&
future
plans
2014
2015
2016
Training
&
Awareness
sessions
escalated
the
maturity
level
of
WRM
in
terms
of
Informa2on
Security
1. Informa2on
Security
Cer2fied
Training
(HCT
CERT)
2. Vulnerability
Assessment
conducted
by
aeCERT
3. Gap
Analysis
4. Risk
Assessment
1. Informa2on
Security
Cer2fied
Training
(HCT
CERT)
2. Alignment
with
the
unified
approach
under
DMA
3. Achieve
compliance
with
the
ADSIC
Standards
for
Highest
Categoriza2on
Services
Achieve
full
compliance
with
AD
Informa2on
Security
Standards
32. 32
The
DUBAI
Smart
CITY
On
5
March
2014,
H.
H.
Sheikh
Mohammed
bin
Rashid
Al
Maktoum
launched
a
strategy
to
transform
Dubai
into
a
'Smart
City'.
Dubai
will
have
a
5-‐D
control
room,
the
world's
largest
room
which
will
be
used
to
follow-‐up
the
process
of
transforming
Dubai
into
a
Smart
City
and
to
oversee
the
government
projects
and
service
indicators;
such
as,
roads,
weather
condiMons
and
emergency
situaMons.
The
strategic
plan
to
transform
Dubai
into
a
Smart
city
is
based
on
three
basic
ideas:
communicaMon,
integraMon
and
cooperaMon.
(Image is for illustration purposes only)
33. VISION
2030
Conclusion
Challenges
include
preparing
the
federal
enMMes
with
the
necessary
technological
infrastructure,
reducing
the
digital
divide
by
driving
people
to
use
government
services
through
mobile
phones
and
portable
devices,
assuring
them
of
privacy
and
security
of
their
data.
ABU
DHABI
34. 34
Thank
you!
Speaker’s Profile:
Irene Corpuz is the Head of Planning & IT Security at the Western Region Municipality. She acquired her Masters of Science in IT at the University of Wales, UK. She has 25 years
of diversified experience in IT including IT Security, Strategy & Service Management. Amongst her other certifications and expertise are in the field of Quality & Excellence (ISO &
EFQM), Project Management & Knowledge Management and has gained the essential certifications on each specialization. Her certifications include: ITIL Service manager, ITIL V3
Foundation, CKM, EFQM Certified Assessor, ISO Lead Auditor (QMS & ISMS) and PMP.
Irene has led strategic projects in all her fields of expertise in various projects in Asia, the UAE, UK and the USA, and has received prestigious awards including Gold Stevie Awards
for Women in Business – Employee of the Year (New York, 2013); Bronze Stevie Awards for Women in Business – Executive of the Year (New York, 2013); Filipino Achiever in the
UAE Award (UAE, 2014); and appreciations for her successful ISO & EFQM projects in the UK and Washington DC.