Government Information Assurance
(GIA) Policy
2
Current Scenario
It is a connected world!
More and More services are being provided
online
Continuous evolving and powerful technology
available to everybody at a cheap price
With every opportunity come Risk.
Your business is at RISK!
3
Emerging Risks
 Changing Political Scenario
Arab Spring
 Qatar’s prominent role in International Arena
Changing Economic Scenario
 Country with highest per capita income
 International Sporting Events
Hacktivism
Sophisticated Attack Vectors
Insider Threats
Changing Legislative landscape
 Data Privacy Law*
 Critical Information Infrastructure Protection Law*






4
Real Incidents
 During Arab Games in 2011
A number of critical sector and government organization were victim of
attacks from Moroccan Hackers group
 Number of sites affected: 10
 Most of the incidents involved web defacement but it could have been worse!
 Duration of incident: The attack was persistent for two weeks

The need of Information
Government
Information
Security Management System
Assurance Survey
Increasing
Reliance on ICT
Baseline Policy &
Standards
New Emerging Risks
No Security Baseline
standards
Insufficient trained
resources
Auditing Model
Certified Training
Business Model of
Information
Security
Challenges in
Government
Sector
 Cultural Issues
 Pre-set Mindset: Peaceful
and secure environment
 Lack of Awareness
 Lack of Support
 Lack of Resources
Government Information
Government Information
Assurance Survey (2010)
Assurance Survey
•30% of IT
5
4.5
4
3.5
3
2.5
2
1.5
1
0.5
0
managers of
Government
organizations
responded
•Survey demonstrated
the need of
information security
support
8
Government Information Assurance
Policy
What is GIA Policy
Government Information
What
is GIA
Government
Information Assurance Manual
Assurance Survey
Government Information Classification Policy
Security Governance &
Processes
Technical Control Areas
Governance Structure [IG]
Communications Security
[CS]
Risk Management [RM]
Network Security [NS]
Third Party Security
Management [TM]
Information Exchange [IE]
Data Labeling [DL]
Change Management [CM]
Personnel Security [PS]
GIA
Components
Gateway Security [GS]
Implementation Guide
Accreditation Manual
Product Security [PR]
Software Security [SS]
Security Awareness [SA]
System Usage Security
[SU]
Incident Management [IM]
Media Security [MS]
Business Continuity
Management [BC]
Access Control Security
[AM]
Logging & Security
Monitoring [SM]
Cryptographic Security
[CY]
Data Retention & Archival
[DR]
Documentation [DC]
Portable Devices &
Working Off-Site Security
[OS]
Accreditation [AC]
Physical Security [PH]
Certified Training
Government
Information
Identify key processes and their owners in the
What
is GIA
organization.
Assurance
Survey
Step 2: Identity process dependencies:
Step 1:
information, applications, systems, networks, etc.
Step 3. Determine the security classification for
each information asset using table
Step 4: Apply the necessary controls
Assets
Classification
Approved by the Board of
Government
Information
ictQATAR
What
is GIAand has been sent
Assurance
Survey
to Council of Ministers.
Formulated from most common
international standards/best
practices
Allows straight forward path for
certification against other
standards e.g. ISO27001
Maps well with established
standards such as ITIL
Adopted by MoI, ABQ
GIA Policy is…
Thank You
www.qcert.org