National Information Assurance Framework

Qatar Ministry Of Information and Communication Technology

2

What is Q-CERT?

Qatar's National Center for Information

Security
An ictQATAR initiative
Works with organizations who deliver critical
services in Qatar
Q-CERT
A leader in Qatar and the region in promoting IT security standards,

practices, products and services to improve the security critical

IT infrastructure

A trusted confidant partner in responding to cyber security

incidents and providing threat and vulnerabilities reporting

A leader in building the cyber security awareness skills and

human capacities in the country
4

Our Approach
 We encourage all organizations to have an Information
Security Risk Management program in place
 We work directly with organizations who provide critical
services to the nation
 We help organizations to improve their cybersecurity capability
and capacity
 Q-CERT never discusses the confidential information it
receives
 There is no charge for Q-CERT services - designed to
complement private sector, not compete with it
Government Information
The need of Information
Security Management System
Assurance Survey
Increasing
Reliance on ICT
Baseline Policy &
Standards
New Emerging Risks

Auditing Model
No Security Baseline
standards

Certified Training
Insufficient trained
resources
6

Emerging Risks
 Changing Political Scenario
 Arab Spring
 Qatar’s prominent role in International Arena
 Changing Economic Scenario
 Country with highest per capita income
 International Sporting Events
 Hacktivism
 Sophisticated Attack Vectors
 Insider Threats
 Changing Legislative landscape
 Data Privacy Law*
 Critical Information Infrastructure Protection Law*
Business Model of Challenges
Information
Security
 Cultural Issues
 Pre-set Mindset: Peaceful
and secure environment
 Lack of Awareness
 Lack of Support
 Lack of Resources
8

National Information Assurance Framework

9

Qatar Information Assurance Framework

Electronic Commerce & Electronic Signatures Law

Cyber Crime Law (MOI)

Data & Privacy Protection Law

Critical Information Infrastructure Protection Law

Anti-Spam Policy
Qatar National Information Assurance Policy
Policies

Asset Classification Policy

Banking Supervision rules (QCB)

Cloud computing Security

Small Data Center Security guideline

Blackberry Security Policy (Mobile Security) Health Assurance Policy

Standards

SCADA Security Guidelines

Information Security for Schools Policy

Web Hosting Security Framework

Guidelines

Technology Standards Technology Standards

Security
Best Practices Best Practices Guidelines/ Tips
GOVERNMENT NON-GOVERNMENT General Public
CRITICAL INFRASTRUCTURE
10

Policies-Standards-Guidelines
 National Cryptography policy
 Accreditation and Certification Framework
 Public WiFi Security Policy
 BYOD Security Policy
 IOS Security Policy (Apple devices Security)
11

Cyber Crime Law

 categories of criminal activity:

 Crimes against the

 Confidentiality, Integrity and Availability of Computer Data and Systems

 Computer-related offences

 Content-related offences

 Offences related to infringements of Copyright and Related Rights

12

Data & Privacy Protection Law (1)

 Promotes the protection of the personal privacy of individuals, including children, with regard to
the processing of personal information in the State of Qatar;

 Promotes the economic interests of the State of Qatar, particularly in relation to

entrepreneurship, innovation and economic development;

 Adheres to the international obligations accepted by the State of Qatar and promotes global
privacy interoperability so as to enable the free flow of information;

 Promotes trust in interaction with digital environments; and

 Minimises and simplifies regulations for the benefit of both businesses and consumers,
including encouraging self-regulation through voluntary codes of conduct.

Q-CERT
13

Data & Privacy Protection Law (2)

 Rights of Individuals
• The right to object to the processing of any personal information about that
individual for a primary purpose

• The right to withdraw consent to the processing of any personal information about
that individual for a secondary purpose

• The right to the removal or erasure of personal information about that individual

• The right to the correction, removal or erasure of inaccurate personal information

Q-CERT
14

CIIP Law (1)

 Reinforce security and resilience of critical information and

communication technology infrastructure

 Eliminate /reduce security breaches on critical sectors’ information

 Ensure that critical infrastructures in the country are less vulnerable

to braches and disruptions

 Ensure fast resumption of operation in event of breach or disruption

 Ensure that businesses are well equipped to cope with incidents of

breaches
Q-CERT
15

CIIP Law (2)

 Should have CSOs

 CSOs shall incorporate and insure

Incident Management Controls

Business Continuity Controls

engage in sector wide co-operation and collaboration

Information Security Program is independently audited

 CSO shall be subject to a financial penalty of the equivalent of (One hundred

thousand Qatari Riyals) per week until the CSO conformance is approved.

Q-CERT
16

Critical Sectors
Sectors are deemed critical when their incapacitation or destruction would have a
debilitating impact on the national security and social well-being of a nation
17

Cant call for help

18

Am I critical ?
What is NIA Policy
 Government Information
Approved by the Board of
NIA Policy is…
What is GIAand has been sent
ictQATAR
Assurance Survey
to Council of Ministers.

Formulated from most common

international standards/best
practices
Allows straight forward path for
certification against other
standards e.g. ISO27001
Maps well with established
standards such as ITIL

Adopted
Step 1: Identify key processes and Assets
their owners in the organization.
Classification
Step 2: Identify process
dependencies: information, applications,
systems, networks, etc.

Step 3: Determine the security

classification for each information asset
using table

Step 4: Record the full classification

 Government
Q-CERT provides you
Information
Whatconsultation
is GIA and subject matter
Assurance Survey
advice on information security.

Courses are developed to assist Q-CERT

stakeholders in implementing comprehensive
an ISMS using NIA Policy. support
Tools developed to assist you in towards adopting
implementation, audit and NIA
compliance process
All the material including NIA
Policy documents and courses
are available in Arabic
 Government Information
What is GIA
Assurance Survey
National
goals and
Achievements
Thank You
www.qcert.org