Anda di halaman 1dari 15

Effective Date: Xst of Xxx 20XX

Volume Chapter Version

IT GOVERNANCE X X X
Page 1 of 15
INFORMATION SECURITY RISK Approval Stamp.

MANAGEMENT POLICY Chairman:

INFORMATION SECURITY RISK MANAGEMENT


POLICY

This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version

IT GOVERNANCE X X X
Page 2 of 15
INFORMATION SECURITY RISK Approval Stamp.

MANAGEMENT POLICY Chairman:

DESCRIPTION TITLE SIGNATURE

Prepared By Job Title/or Section/or Department

Reviewed By IMS Representative

Reviewed By Technology Advisor

Planning & Development


Endorsed By
Director/or a Committee

Endorsed By Director General

Approved By Chairman

This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version

IT GOVERNANCE X X X
Page 3 of 15
INFORMATION SECURITY RISK Approval Stamp.

MANAGEMENT POLICY Chairman:

CHANGES HISTORY SHEET

DOC. PAGE NEW ISSUE DOC. CHANGE


CHANGE SUMMARY OF CHANGE
NO. DATED REQUEST NO.
NO.

This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version

IT GOVERNANCE X X X
Page 4 of 15
INFORMATION SECURITY RISK Approval Stamp.

MANAGEMENT POLICY Chairman:

Table of Contents

2 SUMMARY .......................................................................................................................................................................................... 5
3 GENERAL APPLICABILITY ............................................................................................................................................................ 5
4 IT POLICY ELEMENTS .................................................................................................................................................................... 6
4.1 INFORMATION SECURITY RISK MANAGEMENT POLICY ................................................................................................................................................. 6

4.1.1 Policy summary / Goals......................................................................................................................................................................................... 6


4.1.2 Applicability / Scope .............................................................................................................................................................................................. 6
4.1.3 Background................................................................................................................................................................................................................ 6
4.1.4 Guiding principle ..................................................................................................................................................................................................... 6
4.1.5 Detailed policy requirements .............................................................................................................................................................................. 7
4.1.6 Responsibilities and accountabilities ............................................................................................................................................................... 9
5 REFERENCES ...................................................................................................................................................................................13
6 APPENDICES....................................................................................................................................................................................14
6.1 DEFINITIONS ................................................................................................................................................................................................................ 14

This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version

IT GOVERNANCE X X X
Page 5 of 15
INFORMATION SECURITY RISK Approval Stamp.

MANAGEMENT POLICY Chairman:

1 SUMMARY

In todays world, the cyber threat landscape is evolving rapidly at a pace where entities are
challenged to keep up with the number and variety of threats. In the face of this growing
threat landscape, entities need to adopt practical measures to defend their critical information
and information infrastructure against their most critical vulnerabilities that could be
exploited by threats. To this end, a risk-based approach provides entities with a pragmatic
mean to identify their most critical vulnerabilities that could expose them to risks, and
develop corresponding appropriate treatments.
Adopting a risk-based approach ensures that security controls are instituted in accordance
with current risk assessments commensurate with the risk and magnitude of the impact that
could result if critical information assets are compromised.
The Information security risk management policy of ADWEA outlines the necessary elements
and controls needed for establishing a risk based approach to information security at the
entity level.

2 GENERAL APPLICABILITY

This policy is applicable to all ADWEA information assets, including (but not limited to) all
services, processes, and systems managed by Information Technology and Operation
Technology Departments, unless specific overriding scopes are identified under specific policy
elements / sub elements.

This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version

IT GOVERNANCE X X X
Page 6 of 15
INFORMATION SECURITY RISK Approval Stamp.

MANAGEMENT POLICY Chairman:

3 IT POLICY ELEMENTS

3.1 Information Security Risk Management Policy

3.1.1 Policy summary / Goals

To ensure that a current and complete information risk profile exists for
technology, applications and infrastructure within the enterprise.
Ensure that the entitys risk appetite and tolerance are understood, articulated and
communicated internally.
To ensure that these risks are treated in accordance with the information security
requirements and objectives of the entity which are aligned with the NESA
requirements.

3.1.2 Applicability / Scope

Information Security Risk Management covers all of ADWEAs Information resources and
supporting systems, whether managed or hosted internally or externally.

3.1.3 Background

Entities owning, operating, and or maintaining Critical Information Infrastructure in UAE


must consider all relevant NESAs issuances and guidance about risk management when
performing risk assessment.
These entities are charged with protecting the confidentiality, integrity and availability of its
Information Resources as per NESA mandates. To accomplish this task, a formal Information
Security Risk Management Program has been established as a component of the ADWEAs
Information Security Program to ensure that ADWEA is operating with an acceptable level of
risk. The Information Security Risk Management Program is described in this Policy.

3.1.4 Guiding principle

Effective enterprise governance and management of IT risk:


Always connects to business objectives
Aligns the management of IT-related business risk with overall enterprise risk
management (ERM) if applicable, i.e., if ERM is implemented in the enterprise

This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version

IT GOVERNANCE X X X
Page 7 of 15
INFORMATION SECURITY RISK Approval Stamp.

MANAGEMENT POLICY Chairman:

Balances the costs and benefits of managing IT risk


Promotes fair and open communication of IT risk
Establishes the right tone from the top while defining and enforcing personal
accountability for operating within acceptable and well-defined tolerance levels
Is a continuous process and part of daily activities.

3.1.5 Detailed policy requirements

3.1.5.1 ADWEA will use the NESA IAS as its framework for managing its IT information
security risks by establishing the context, performing IT risk assessments,
implementing risk treatments and monitoring their implementation.
3.1.5.2 There will be a formal documented and approved process and procedure associated
with the Information Security risk assessment, treatment and monitoring for ADWEA.
3.1.5.3 The scope of the risk assessment, treatment and monitoring shall cover all the critical
services and their supporting functions based on the information asset classification
(refer to asset management policy).
3.1.5.4 Roles and responsibilities related to the overall Information Security risk
management for ADWEA shall be clearly defined and communicated.
3.1.5.5 Risk impact criteria, acceptance criteria and risk evaluation criteria shall be clearly
defined under risk management standards.
3.1.5.6 The Information Security risk management shall be integrated with the enterprise
risk management.
3.1.5.7 The Information Security risk management plan shall cover all the main elements as
outlined below.
3.1.5.7.1 Information Risk Identification- ADWEA shall apply the information security risk
assessment process to identify risks associated with the loss of confidentiality,
integrity and availability for its critical information assets by:
Defining clearly the scope of the risk assessment exercise.
Identifying critical business functions.
Identifying critical information systems supporting business critical functions
within the scope and boundary of the risk assessment.
Identifying vulnerabilities related to the information and information systems.
Identify existing information security controls
Identifying threats and threat sources

This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version

IT GOVERNANCE X X X
Page 8 of 15
INFORMATION SECURITY RISK Approval Stamp.

MANAGEMENT POLICY Chairman:

Identifying the risk owners


And finally documenting the results of the risk identification.
3.1.5.7.2 Information Risk Analysis and Evaluation- Based on the risk identified, ADWEA
shall do a proper risk analysis and evaluation to identify and document the business
impact of the risk exposure. The following essentials need to be considered.
Assess the potential consequences that would result if the identified risks were to
materialize by assessing the consequences of losses of confidentiality, integrity or
availability
Assess the realistic likelihood of the occurrence of the identified risks based on the
existing controls, identified vulnerabilities and threats.
Determine the overall levels of risk.
Document the results of the risk analysis
Establish priorities for treatment of the identified risks.
Share with national and sector authorities the results where applicable.
3.1.5.7.3 Information Risk Treatment ADWEA shall identify and plan appropriate risk
treatment for IT risks that have been assessed based on the following guidelines.
It shall consider the following risk treatment options and select one or more of them
for each of the risks that have been assessed during the Risk Assessment.
Risk Reduction Reducing the risk by applying security controls
Risk Retention Accepting the risk based on the entitys risk accepting criteria
established as per this policy.
Risk Avoidance Avoiding the activity or condition causing the risk.
Risk Transfer Transferring the risk to another party.
It shall identify all controls that are necessary to implement the information security
risk treatment option(s) chosen.
It will utilize the controls mentioned under the NESA IAS as a starting point for
control identifications and may expand on it.
It will ensure that no controls are overlooked by producing the Statement of
Applicability for the risk treatment.
It will identify controls in addition to the controls suggested by NESA that may
be specific to the entity or the sector.
ADWEA shall then formulate a risk treatment plan which will clearly identify the
following.
Appropriate management actions
Resources required

This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version

IT GOVERNANCE X X X
Page 9 of 15
INFORMATION SECURITY RISK Approval Stamp.

MANAGEMENT POLICY Chairman:

Responsibilities and priorities for managing information security risks.


Target dates for implementation of the identified controls.
The document for the risk treatment plan.

3.1.5.7.4 Monitoring of Information security risk management ADWEA shall plan and
document the process for the review and update of the risk assessment and
treatment; this shall include planned reviews and updates as well as ad hoc updates
if significant changes occur.
ADWEAs monitoring and review processes shall encompass all aspects of the risk
management process and shall take account of changes in:
A. The entity itself
B. Technology used
C. Business objectives and processes
D. Risk criteria and the risk assessment process
E. Assets and consequences of losses of confidentiality, integrity or availability
F. Identified threats
G. Identified vulnerabilities
H. Effectiveness of the implemented controls
I. External events, such as changes to the legal or regulatory environment,
changed contractual obligations, and changes in social climate.
ADWEA shall monitor security incidents that might trigger the risk assessment
process.
Responsibilities for monitoring and review shall be clearly defined and documented.
3.1.5.7.5 Communication of Information security risks- ADWEA shall communicate and
consult risk information obtained during and after risk management activities with
all stakeholders involved.
It will establish and use a formal risk communication plan for communicating risk
information with key stakeholders including decision-makers within the entity
during all stages of the risk management process.

3.1.6 Responsibilities and accountabilities

Typically, the senior most management has the overall responsibility for managing risks
in any organization as per current laws, regulations or contracts.
In the context of risks associated with IT within ADWEA , the Chairman has the overall
responsibility for managing the information based risk exposure of ADWEA.

This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version

IT GOVERNANCE X X X
Page 10 of 15
INFORMATION SECURITY RISK Approval Stamp.

MANAGEMENT POLICY Chairman:

The detail breakup of the roles and responsibilities associated with the Information
Security risk Management for ADWEA are listed below.

Role Description/ Responsibilities

ISGC The role of the ISGC is to coordinate corporate security initiatives at the
(Information executive level and thus enable ADWEA to optimize spending, manage
Security their infrastructure and minimize security risk.
Governance
The ISGC is responsible for the following:
Committee)
Work with all strategic partners to develop, coordinate and follow
up a national information security plan and program based on
effective risk management to enhance the protection of information
and assets in coordination with the relevant authorities.
Ratify the findings of security-related assessments and serve as
the primary oversight function to ensure corrective actions are
addressed.
Ratify Information Security Plans, Risk Assessments and
Information Security Continuity Plans and verify performance against
defined objectives by reviewing IT Security Program KPI's.
Ensure security controls are in place to maintain and safeguard
the integrity of information resources by balancing risk assessment,
best practice information security techniques and national security
standards.
Provide guidance and leadership to maintain and improve the
confidentiality, integrity and availability of information.
Serve as a point of escalation for security-related issues and
concerns.
Ratify assignment of information ownership, classification of
principle information assets and information lifecycle.
Ratify the information security policy & supporting policies and
ensure their effectiveness.
Assessing any requests for policy exceptions from individual
business units.
Verify the effectiveness of information security awareness and
training activities.
Act as the primary management-oriented conduit for security
related matters to the board and other senior stakeholders.

This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version

IT GOVERNANCE X X X
Page 11 of 15
INFORMATION SECURITY RISK Approval Stamp.

MANAGEMENT POLICY Chairman:

CISO (Chief The CISO has the overall responsibility for the management of
Information information security.
Security Officer)

He is responsible for the following:


Develop and manage an information security plan that identifies
the information security environment and controls to be implemented
to protect information assets and monitor these internal controls and
adjust/improve when required.
Define and manage information security risk assessments and
risk treatment plan.
Review/Approve IT Security business cases, request funding and
resources, and provide progress report to ISGC.
Identify processes and schedule for monitoring, tracking and
reporting IT Security Program success.
Manage creation and changes to IT Security Program Charter
documents
Coordinator for facilitating Risk, Incident and Audit management
activities
Interface with operations, customers and vendors to
communicate IT Security Program policy, process and procedure
changes.
Escalate major IT Security Program issues to ISGC.
Communicate Information Security Policy deviations or non-
conformance issues to ISGC.
Provide ways to improve efficiency and effectiveness of the
information security function.
Collect and analyze performance and compliance data relating to
information security and information risk management.
Provide guidance to IT Security Team
Set Capability Requirements and Training Plans for IT Security
Team members.
Build IT Security communications plan.

Coordinate Risk, Incident and Audit management activities.


IT Security
Conduct Threat, Vulnerability, and Risk Assessments
Analyst
Contribute to development of IT Security Program
Implementation Plans
Identify and document security risks

This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version

IT GOVERNANCE X X X
Page 12 of 15
INFORMATION SECURITY RISK Approval Stamp.

MANAGEMENT POLICY Chairman:

Create uniform set of procedural controls


Monitor and report risks and status to CISO.
Manage IT implementation plan and remediation activities
Execute Security Incident Management and Response activities.
Execute IT Security communications plan

Information Information owner is defined as a person(s) with statutory or


Owner operational authority for specific information or information resources.
The information owner is responsible for:
Accountable for the protection of information assets under their
authority.
Classify and define the lifecycle of information under their
authority, in accordance with ADWEA information classification
categories.
Approve access to information resources and periodically review
access lists.
Review security controls applied to information under their
authority
Justify, document, and be accountable for exceptions to security
controls.
Serve as trusted advisors and monitoring agents regarding
information within their authority.

System Owner System owner is defined as an individual, a department responsible for


implementing the defined controls and access to an information
resource.
The system owner is responsible for:
Procurement, development, integration, modification, operation,
maintenance, and disposal of an information system.
Address the operational interests of the Information owner and
ensure compliance with information security requirements
Responsible for the development and maintenance of the system
specific security plan and ensures that the system is deployed and
operated in accordance with the agreed-upon security controls.

Accountable for supporting the Information Security Policy and


Department

This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version

IT GOVERNANCE X X X
Page 13 of 15
INFORMATION SECURITY RISK Approval Stamp.

MANAGEMENT POLICY Chairman:

Managers ensuring staff compliance in their respective departments.

Information Information Security Business Team is defined as a group of individuals


Security across different departments nominated by their department head.
Business Team
The Information Security Business Team is responsible for the following
in their respective department:
Monitor Information Security Policies compliance
Monitor Data classification
Report noncompliance to their department manager and CISO.

4 REFERENCES

Item Description

This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version

IT GOVERNANCE X X X
Page 14 of 15
INFORMATION SECURITY RISK Approval Stamp.

MANAGEMENT POLICY Chairman:

5 APPENDICES

5.1 Definitions

Glossary Acronym (if any) Definition

Information Security InfoSec Preservation of the availability, integrity, and


confidentiality of information

Availability A Property of being accessible and usable upon


demand by an authorized entity
Integrity I Property of protecting the accuracy and
completeness of asset
Confidentiality C Property that information is not made available
or disclosed to unauthorized individuals, entities,
or processes
Policy Overall intention and direction as formally
expressed by management
Process Set of interrelated or interacting activities which
transforms inputs into outputs
Procedure Specified way to carry out an activity or process
Exception Any deviation from security policies and
standards
Process Owner Person or role who has ultimate responsibility
for the performance of a process
Standard Technical specification contained in a document
consisting of definitions, limits, or rules which
have been approved and are monitored for
compliance
System A combination of related parts organized into a
complex whole; a method or set of procedures
for achieving something, including both services
and processes

This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version

IT GOVERNANCE X X X
Page 15 of 15
INFORMATION SECURITY RISK Approval Stamp.

MANAGEMENT POLICY Chairman:

Control means of managing risk, including policies,


procedures, guidelines, practices or
organizational structures, which can be of
administrative, technical, management, or legal
nature
Risk management set of components that provide the foundations
framework and organizational arrangements for designing,
implementing, monitoring, reviewing and
continually improving risk management
throughout the organization
Risk management statement of the overall intentions and direction
policy of an organization related to risk management
Risk owner person or entity with the accountability and
authority to manage a risk
Stakeholder person or organization that can affect, be
affected by, or perceive themselves to be affected
by a decision or activity
Level of risk magnitude of a risk or combination of risks,
expressed in terms of the combination of
consequences and their likelihood
Risk evaluation process of comparing the results of risk analysis
with risk criteria to determine whether the risk
and/or its magnitude is acceptable or tolerable
Residual risk risk remaining after risk treatment

Level of risk: magnitude of a risk or combination of risks,


expressed in terms of the combination of
consequences and their likelihood
Risk evaluation: process of comparing the results of risk analysis
with risk criteria to determine whether the risk
and/or its magnitude is acceptable or tolerable
Residual risk: risk remaining after risk treatment

This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.