Government Information Assurance (GIA) Policy 2 Current Scenario It is a connected world! More and More services are being provided online Continuous evolving and powerful technology available to everybody at a cheap price With every opportunity come Risk. Your business is at RISK! 3 Emerging Risks Changing Political Scenario Arab Spring Qatar’s prominent role in International Arena Changing Economic Scenario Country with highest per capita income International Sporting Events Hacktivism Sophisticated Attack Vectors Insider Threats Changing Legislative landscape Data Privacy Law* Critical Information Infrastructure Protection Law* 4 Real Incidents During Arab Games in 2011 A number of critical sector and government organization were victim of attacks from Moroccan Hackers group Number of sites affected: 10 Most of the incidents involved web defacement but it could have been worse! Duration of incident: The attack was persistent for two weeks The need of Information Government Information Security Management System Assurance Survey Increasing Reliance on ICT Baseline Policy & Standards New Emerging Risks No Security Baseline standards Insufficient trained resources Auditing Model Certified Training Business Model of Information Security Challenges in Government Sector Cultural Issues Pre-set Mindset: Peaceful and secure environment Lack of Awareness Lack of Support Lack of Resources Government Information Government Information Assurance Survey (2010) Assurance Survey •30% of IT 5 4.5 4 3.5 3 2.5 2 1.5 1 0.5 0 managers of Government organizations responded •Survey demonstrated the need of information security support 8 Government Information Assurance Policy What is GIA Policy Government Information What is GIA Government Information Assurance Manual Assurance Survey Government Information Classification Policy Security Governance & Processes Technical Control Areas Governance Structure [IG] Communications Security [CS] Risk Management [RM] Network Security [NS] Third Party Security Management [TM] Information Exchange [IE] Data Labeling [DL] Change Management [CM] Personnel Security [PS] GIA Components Gateway Security [GS] Implementation Guide Accreditation Manual Product Security [PR] Software Security [SS] Security Awareness [SA] System Usage Security [SU] Incident Management [IM] Media Security [MS] Business Continuity Management [BC] Access Control Security [AM] Logging & Security Monitoring [SM] Cryptographic Security [CY] Data Retention & Archival [DR] Documentation [DC] Portable Devices & Working Off-Site Security [OS] Accreditation [AC] Physical Security [PH] Certified Training Government Information Identify key processes and their owners in the What is GIA organization. Assurance Survey Step 2: Identity process dependencies: Step 1: information, applications, systems, networks, etc. Step 3. Determine the security classification for each information asset using table Step 4: Apply the necessary controls Assets Classification Approved by the Board of Government Information ictQATAR What is GIAand has been sent Assurance Survey to Council of Ministers. Formulated from most common international standards/best practices Allows straight forward path for certification against other standards e.g. ISO27001 Maps well with established standards such as ITIL Adopted by MoI, ABQ GIA Policy is… Thank You www.qcert.org