Wednesday, November 13, 2024

Overview of Cybersecurity Regulations in the Middle East

The Middle East region is quickly emerging as a new, dynamic player in the world of cybersecurity regulations. As countries in the region diversify their economies beyond the traditional oil and gas sectors and embrace a digital future for its citizens and residents, new regulations, laws and frameworks are being introduced to ensure protection in the new digital world.

These frameworks, aimed at bolstering the cybersecurity practices across many public and private sector organizations, introduce several mandatory controls and risk management practices which are required for various businesses operating in the region with the intention of increasing cyber resilience.

As a member of Cisco Talos Incident Response, we often get to operate within these frameworks when engaging with our customers during Emergency Response activities or during proactive engagements such as Table Top Exercises, IR Playbook or IR Plan creations.

This blog will delve into the evolution of these regulations, examining the catalysts that prompted their inception and the subsequent impact on shaping the digital landscape.

State of Qatar

The State of Qatar’s cybersecurity regulatory framework consists of legislations, international standards and strategy guidelines placed within various cybersecurity frameworks, introduced across different strategic and business sectors. The primary body, responsible for cybersecurity policies, within the State of Qatar is the National Cyber Security Agency (NCSA) which was established in 2021 to facilitate the development and proposal of cybersecurity policies and regulations across the country. Several pieces of legislation cover the cybersecurity of IT systems and personal data and are directly applicable to different cybercrime laws. There are two key laws applicable in the State of Qatar are:

  • Cybercrime Prevention Law (2014): This cornerstone law criminalizes various cyber offenses, including unauthorized access, identity theft and online fraud. It prescribes penalties and outlines investigative procedures related to the aforementioned crimes.
  • Personal Data Protection Law (PDPL) (2016): This law grants individuals control over their personal data, requiring organizations to obtain consent, implement security measures, and respond to data subject requests. This law is also supported by several additional procedural guidelines, defining how some of the specific implementation of various controls, notifications and processes, which are applicable when personal data is acquired and processed, should be applied. For example, there is a requirement for data breaches to be reported to the National Cyber Governance and Assurance Affairs (NCGAA) and affected individuals within 72 hours of becoming aware of the breach.

While these laws closely guard various cybersecurity aspects related to business and individuals, Qatar’s cybersecurity landscape also includes multiple frameworks and guidelines applicable within the country. Three are described below:

The National Cybersecurity Strategy (2014)

Released in 2014, this document outlines initiatives undertaken by the Qatari government to protect key assets and identify risks related to critical information infrastructure (CII). The overall strategy focuses on five main objectives, ranging from building safeguards for the CII to establishing legal frameworks that create a safer cyberspace. It also includes strategies focused on setting up a collaborative environment aimed at building and cultivating national cybersecurity capabilities. The overall theme of this strategy is based on the understanding that cybersecurity is a shared responsibility, and that many government entities, businesses and individuals need to come together to create an environment that is resilient to cybersecurity incidents. The key controls, established within this framework, can be broken down between public and private sector responsibilities. The state, for example, issues legislations such as the Cybercrime Prevention Law (2014) or Personal Data Protection Law (2016) that all individuals and organizations in Qatar should be following. On the other hand, organizations can directly address the outlined strategy by applying the following controls across a few key pillars:

Safeguard national Critical Information Infrastructure (CII)

  • Controls that can be applied to support this pillar include vulnerability assessments, creation of incident response plans and risk management frameworks, which would outline how risk is treated within an organization and which mitigation controls need to be applied to CII organizations.

Implement efficient incident response mechanisms and recovery proceedures

  • Controls that can be applied to support this pilar include establishing of information sharing platforms, such as threat intelligence exchange platform, the ability to invoke or have the ability to train emergency response teams and have appropriate damage assessment protocols, which would reduce the effects of widespread attacks on CII infrastructure.

Develop and cultivate national cybersecurity capabilities: Build a skilled workforce, invest in research and development and strengthen national cyber defense capabilities

  • Controls which can be applied to support this pilar include establishing      cybersecurity education programs, talent recruitment initiatives and research partnerships, which might bring additional information related to how innovative cybersecurity frameworks and technical innovations can be deployed across organizations.

Qatar Cybersecurity Framework (QCF) (2018)

Developed by the Supreme Committee for Delivery & Legacy (SCDL) ahead of the 2022 FIFA World Cup, the QCF provides a set of best practices and controls for organizations to enhance their cybersecurity posture when participating in major events. Controls are mapped to various international standards such as ISO 27001, NIST SP 800-53, ISA62443, PCI-DSS and GDPR. The focus of the framework is predominantly on 14 different capabilities ranging from establishing an appropriate governance to application of security controls in the cloud.

Qatar 2022 Cybersecurity Framework diagram
A breakdown of various controls identified in the Qatar 2022 Cybersecurity Framework

This framework introduced the need to have a widely established risk management strategies that address  technical controls, such as ensuring that threats can be detected on all manner of devices such as laptops or servers (requirement 3.2), and capabilities to identify, audit, remediate and test various security strategies, such as hardening of the systems, minimizing risks through establishment of relevant internal frameworks and controls that also rely on presence of appropriate staff (i.e., requirements 4.2 and 5.2). Various controls and assessment requirements are further broken down into major domains with each presenting requirements for how successful controls should be planned, deployed, managed and controlled throughout the lifetime of an event. Where feasible, specific elements of an QCF are mapped to controls present in other standards such as National Information Assurance Standard or ISA62443.

National Information Assurance Standard (NIAS) (2023)

This recent standard introduced several controls to technical, business and governance aspects of any organization operating in the State of Qatar, including third parties and subcontractors that are specifically called out in the scope of the standard (section 2.2). The standard focuses on key areas such as data governance, data security, technical and organization controls. It prioritizes four key principles:

  • Confidentiality: Ensuring only authorized individuals access information.
  • Integrity: Guaranteeing data accuracy and completeness.
  • Availability: Making information accessible when needed.
  • Accountability: Holding individuals responsible for cybersecurity.

Another important aspect of the standard is the requirement to classify the data that is stored within the organization and the requirement to protect such data with specific controls which are applicable though proactive risk management. It should be noted that this standard operates in conjunction with National Data Classification Policy (2023) to create a synergy between information security and data classification. Each domain and control set have a set of mandatory and optional controls which leaves a scope for flexibility in how controls might be applied within a given organization, as not every possible domain might be applicable, or it may be applicable just in part. Although organizations can apply the standard on a voluntary basis, the National Cyber Security Agency also offers a certification process which assesses the compliance with the standard.

The National Cyber Security Strategy (2024)

Released in 2024, this strategy document builds on the framework established in 2014 and emphasizes the centralization of security governance under a single organization, the NCSA. The framework is guided by six principles, ranging from shared responsibility, where everyone is accountable for their cybersecurity practices, to a focus on collaboration and coordination among various stakeholders in Qatar’s cybersecurity landscape. These guiding principles underpin the five pillars of the framework, each linked to specific strategic goals, including building a resilient cybersecurity ecosystem and fostering legislation and innovation in a data-driven economy. Each pillar can be further broken down into specific objectives that will guide both private and public organizations in achieving greater security maturity through accreditations, education, research, development, and innovation in cybersecurity applications. While some objectives and pillars focus on domestic development, there is also a strong emphasis on forming regional and international partnerships.

Kingdom of Saudi Arabia

Similarly to the State of Qatar, the Kingdom of Saudi Arabia (KSA) have introduced legislations and frameworks aiming to ensure that cybersecurity application is as widespread as possible and applicable across as many sectors as possible in line with the digitization objectives. Protection from digital threats is one of the objectives of Vision 2030 which puts emphasis on digital society living in a safe cyberspace supported by the Kingdom’s e-government. The two key laws applicable in the Kingdom of Saudi Arabia are:

  • Anti-Cyber Crime Law (2007): This law is a critical piece of legislation in Saudi Arabia aiming to outline penalties for common cybercrime activities such as data theft, unauthorized access, cyber attacks, identity theft and impersonation.
  • Personal Data Protection Law (2023) (PDPL): The PDPL regulates data subject rights and grants them the right of control over their data as well as defines the role of data controllers, which have access to personal data in the Kingdom of Saudi Arabia. As this law is quite new, the grace period for compliance runs until Sept. 14, 2024, when data controllers will need to comply with outlined obligations. This law offers a wide range of rights and responsibilities, which are afforded to individuals such as the ability to access, rectify, erase and restrict processing of their personal data including breach report obligations within 72 hours.

As part of the National Cybersecurity Strategy (NCS), the National Cybersecurity Authority (NCA) was established in 2017 to regulate and improve the cybersecurity landscape in the KSA with the objective to oversee the application and development of cybersecurity regulations across the Kingdom. The strategic positioning of the NCA allows it to not only create legal, policy and regulatory environments, but actively participate and engage with regulated bodies through assessments or assistance with information sharing exchanges and other applicable partnerships.

A breakdown of NCA duties in KSA
A breakdown of NCA duties in KSA

The NCA carries out major responsibility for development and the application of various controls and frameworks across different verticals in the KSA and breaks down several shared responsibilities into frameworks, which collaborate at various levels in the public and private sectors.

National Cyber Security Strategy (NCSS) (2019)

The NCSS is a cornerstone strategy that outlines several key principles that the Kingdom of Saudi Arabia will follow to enhance the country’s cybersecurity. The strategic goals of the NCSS are to unify cybersecurity governance under one body (the NCA), create a partnership environment to collaborate and perform cybersecurity research, defend the country from cyber threats and build national and industry cybersecurity capabilities. The NCSS outlines how the Kingdom will approach the development of cybersecurity in the future and sets out administrative control over this process.

Essential Cybersecurity Controls (ECC) (2018)

Outlines a set of mandatory minimum cybersecurity requirements for organizations, public and private, operating within the Kingdom of Saudi Arabia. These controls serve as the foundation for protecting critical infrastructure, government services, and private businesses from cyberattacks and threats. There are 114 different controls established across five main domains:

Cybersecurity Governance

Focuses on establishment of mechanisms that that drive the adoption of cybersecurity measures. The key controls deployed within this standard are:

  • Establishing proper leadership roles and responsibilities for cybersecurity within an organization.
  • Emphasize the development of a robust security strategy aligned with the business roadmap.
  • Ensuring support from appropriate personnel to define clear procedures for cybersecurity risk management that can be executed though robust project management.
  • Maintenance of compliance with existing regulations.

Cybersecurity Defense

Focuses on building controls to protect systems and networks from unauthorized access, malware, and other threats. The key control in this section starts with establishing a detailed asset register, which highlights devices at risk, among the devices owned by the business and ensures that appropriate visibility is granted to systems under management. These controls come in many forms such as ensuring that identity access, mobile devices, perimeter, and network devices are well configured, hardened and segregated. In addition to building technical controls, this document also focuses on ensuring that process perspective is taken into consideration and so, there are multiple requirements around, for example, penetration testing, incident response and vulnerability management, and how these types of engagements should be performed.

Cybersecurity Resilience

Focuses on building measures to recover from cyber attacks and minimize disruptions to ongoing operations though a requirement for Business Continuity Management (BCM) and ensuring that appropriate business continuity processes are created and can be followed in an event of a major business disaster. 

Third-party and Cloud Computing Cybersecurity

Addresses security considerations resulting from engaging with third parties or cloud services. When it comes to third parties, which might augment cybersecurity capabilities of an organization, there are specific requirements related to non-disclosure agreements (NDAs), communication cadence and the need for third parties to comply with organizational policies. Cloud computing aspect of this domain, on the other hand, requires creation of appropriate policies, classification of data that will be uploaded to the cloud and separation of cloud environments internally from other tenants. ECC calls for storage of the data inside the Kingdom of Saudi Arabia.

Industrial Control Systems Cybersecurity

Addresses controls applicable to industrial control systems (ICS) and critical infrastructure (CI). This part of the ECC Standard calls for creation of a strictly segmented ICS environment that will be continuously monitored for potential incidents and safety. Configuration and hardening are also required, along with patch and vulnerability management processes, which must be implemented to ensure that cybersecurity is upheld within ICS deployment.

Critical Systems Cybersecurity Controls (CSCC) (2019)

CSCC is an extension to the ECC providing additional guidance towards organizations that operate or own critical systems. To be compliant with CSCC, the ECC requirements also need to be fulfilled. There are 32 other main controls applied across similar domains as in the ECC standard. CSCC places emphasis on the necessity to ensure that the controls, deployed and configured in alignment with the ECC, undergo a rigorous testing process. This involves regular assessments to review applicable security configurations and address any identified deficiencies. The overarching goal is to maintain a robust cybersecurity framework by continuously testing and validating the effectiveness of the implemented controls in accordance with the ECC standard and adding additional layer of verification or additional controls.

Cloud Cybersecurity Controls (CCC) (2020)

Similarly to CSCC, the CCC controls are an extension of the ECC and aim to provide a set of minimal requirements, which cloud service providers (CSP) and cloud service tenants (CST) need to fulfil to ensure that data, stored in the cloud, is safe. This framework divides controls into these applicable to cloud service providers and cloud service tenants. While some controls are identical, the general theme of the framework puts a requirement for providers to inform tenants about cybersecurity controls that are applicable to data stored in the environment, and for tenants to have applicable policies which they can compare and contract with controls provided by CSP. There also are strict requirements on controls such as personnel vetting, data storage and disposal, access and policies and procedures that need to be created and applied to cloud assets.

Sultanate of Oman

The Sultanate of Oman started to examine their cybersecurity practices in 2010 with the creation of the Oman Computer Emergency Readiness Team (OCERT), which monitors cyber threats, investigates incidents and provides guidance to organizations based on the latest cybersecurity laws and standards applicable in the country. The laws that are applicable in the Sultanate of Oman support Oman’s Vision 2040, which puts a strong emphasis on digital transformation and presence of technology across the economy. The two key laws applicable in the Sultanate of Oman are:

Personal Data Protection Law (PDPL) (2023)

Oman’s flagship data protection law, granting individuals rights over their personal data and imposing obligations on organizations handling the data. In terms of application, organizations must adopt data protection measures in line with the PDPL, including obtaining consent, implementing security controls and responding to data subject requests.

Cyber Crime Law (2011)

This cornerstone law criminalizes the unauthorized access, modification or destruction of data and other common cybercrime such as fraud or violation of privacy.

The following guidelines and standards, aimed mostly at government and public-sector entities, are available in the Sultanate of Oman:

Basic Security Controls (BSC) (2017)

The BCS controls standards outline the set of basic and necessary security controls that should be applied across government organizations in Oman. Starting with access control, the standard breaks down applicable cybersecurity guidance into twelve major control groups and offers a high-level guidance on how each of the major domains should be applied. Each security control outlines how it should be established, validated, and introduced within the organisation. For example, when “Incident Management” controls are mentioned, BSC outlines how the process of identifying, analysing, responding, and recovering from security incidents should be documented and what kind of skills or mechanism should be implemented to protect confidentiality, integrity, or availability of the information assets. The BCS framework also outlines a checklist that should be applied within every organization.

Database Security Standard (2020)

The standard aims to ensure that basic minimal security controls are applied for the database systems and their users such as administrators, developers, and database managers. It outlines several security controls, specifically related to databases, such as the need to segregate duties or privileges of various database users to ensure that database `root` is not granted to low-level users or enablement of encryption within the applications communicating with the database. Specific security controls such as data classification, change management and audit should also be applied to database servers. 

Information Security Management Policy (2019)

Applicable to all custodians of information on behalf of the Sultanate of Oman, this policy outlines high-level information security principles that should be applicable to all organizations. It calls for creation of Information Security Committee which might consist of existing steering committees or senior management, looking after data within any government organization. The committee should oversee the development and implementation of security program, applicable within the organization, and implement specific steps such as risk management, data classification, awareness training, incident management and business continuity.

Cybersecurity Governance Guidelines (2017)

This high-level guideline framework outlines the overview of various cybersecurity governance principles and requires regulated bodies to establish cybersecurity governance within organization. The framework offers a guidance on how governance process should be established within the business, in a form of six key steps which aim to help in identifying current, desired, and future state of cybersecurity within a government organization. The breakdown of the guidelines is as follows:

  • Identify stakeholder needs: Organizations should identify the key stakeholders, their requirements, and expectations for cybersecurity programme that support overall business mission and objectives.
  • Manage cybersecurity transformation strategy: Involves defining the vision, legal framework, goals, and objectives for cybersecurity programme based on understanding of current weaknesses and cybersecurity culture within an organization.
  • Define cybersecurity structure: Involves establishing the governance structure, roles and responsibilities (via RACI matrix), policies and standards, and processes and procedures for cybersecurity that should be implemented going forward. This step also calls for involvement of steering committee which sets the tone and direction of cybersecurity transformation.
  • Manage cybersecurity risks: This step involves identifying, assessing, treating and monitoring the cybersecurity risks, as well as implementing controls and measures to mitigate them based on acceptable tolerance levels.
  • Optimize cybersecurity resources: This step calls for allocation and management of the human, financial and technical resources for cybersecurity programme, as well as ensuring that available resources are aligned to expected goals that the programme is meant to achieve.
  • Monitor cybersecurity effectiveness: This step involves measuring and evaluating the performance and effectives of a cybersecurity programme, as well as reporting and communicating the results and feedback to steering committee and organizational management.

Cloud and Hosting Services Standard (2019)

Cloud and Hosting Services Standard (CHSS) presents a breakdown of requirements applicable to Cloud Service Providers (CSP). At a high level, the CSPs not only need to comply with international security frameworks such as ISO 27001, ISO27017 and ISO 270018 and control matrices presented by Cloud Security Alliance (CSA) and PCI-DSS when hosting payment solutions. An important emphasis of this framework is on how data is handled, classified, and stored within a cloud environment and how access to such environments is provided. A CSP is also to be accredited by a “Third-Party Assessment Organization” which will audit, and access compliance of cybersecurity controls related to contingency planning, monitoring and the results of various assessments such as penetration testing.

Overview of applicable laws, frameworks and regulations

To better demonstrate how each country creates and applies cybersecurity regulations the following table was devised based on available frameworks, law and applicable guidelines at the time of writing this blog:

State of Qatar Kingdom of Saudi Arabia Sultanate of Oman
Applicable Law Cybercrime Prevention Law (2014)   Personal Data Protection Law (2016) Anti-Cyber Crime Law (2007)   Personal Data Protection Law (2023) Cyber Security Law (2019)   Personal Data Protection Law (2023)  
Country-level Cybersecurity Strategy Overview The National Cyber Security Strategy (2014)   The National Cyber Security Strategy (2024) National Cybersecurity Strategy (2019) N/A
Frameworks, Guidelines or Standards applicable within country Qatar Cybersecurity Framework (QCF) (2018)   National Information Assurance Standard NIAS (2023)   National Data Classification Policy (2023)   The National Cyber Security Strategy (2014)   The National Cyber Security Strategy (2024)   Essential Cybersecurity Controls (ECC) (2018)   Critical Systems Cybersecurity Controls (CSCC) (2019)   Cloud Cybersecurity Controls (CCC) (2020) Cybersecurity Governance Guidelines (2017)   Basic Security Controls (2017)   Information Security Management Policy (2019)   Cloud and Hosting Services Standard (2019)   Database Security Standard (2020)
Regulatory Body National Cyber Security Agency National Cybersecurity Authority Cyber Defence Centre   Ministry of Transport, Communications and Information Technology (MTCIT)

Conclusion

Although every listed country introduced their own flavours of cybersecurity controls, spread across many standards, frameworks and laws, there are some commonalities between all countries mentioned in this blog post:

  • Each country, although introducing a different approach to cybersecurity, bases the frameworks on three core principles of cybersecurity – confidentiality, integrity and availability. Irrespective of the country, these principles are evident in the law or frameworks, which are applicable across different sectors.
  • The range of security controls each organization must implement may differ depending on the criticality of the vertical where this organization operates. Although organizations, which are more exposed to sensitive business verticals such as health care or critical infrastructure (CI), might have slightly different requirements for cybersecurity, most frameworks put an emphasis on continuous identification, assessments and mitigation of potential cybersecurity threats. Cybersecurity is a continuous process and data security never stops, they need to be upheld through regular testing and assessments.
  • Even with strong defences, cyber attacks can happen. Therefore, many standards and frameworks require the deployment of technical measures like firewalls, endpoint controls, visibility and encryption. There are many organizational measures that can also be taken, such as security awareness training and incident response procedures. It is exceedingly rare that a one-size-fits-all approach might be taken to create, for example, appropriate indecent response procedures, hence most frameworks put an emphasis on understanding the risks or deficiencies and creation of customized procedures that guide the business principles to provide cybersecurity for their customers and users. This is where Talos Incident Response can help to prepare these kinds of procedures that comply with local frameworks and regulations.
  • Active risk management is generally expected by most frameworks and standards and proactive approach to identifying, assessing, mitigating and monitoring potential threats and vulnerabilities is encouraged or mandated. It is not just about setting up defenses and hoping for the best — it’s about actively looking for weaknesses, understanding the evolving threat landscape, and taking deliberate steps to minimize the effects of potential cyberattacks.
  • Some of these frameworks root their fundamental guidance and approach in international standards such as GDPR, NIST or ISO27001 while setting a baseline on which remaining controls can be built upon. In practice this means that if an organization already employs basic NIST controls or are compliant with ISO27001 the application of additional controls might prove to be much easier exercise.

We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Security Social Channels

Instagram
Facebook
Twitter
LinkedIn

Share:


Related Articles

Latest Articles