The Middle Eastern region has witnessed a surge in cybersecurity threats and breaches in recent years, prompting governments and regulatory bodies to establish robust frameworks for ensuring the security of digital transactions. The UAE's Cybersecurity Law, enacted in 2013, mandates organizations to implement comprehensive information security measures to protect personal data.

The Middle East region is rapidly emerging as a fresh and dynamic player in the global landscape of cybersecurity regulations. As regional economies transition beyond traditional oil and gas industries, embracing digital futures for citizens and residents, novel legislation, regulatory frameworks, and legal guidelines are emerging to safeguard security in this evolving digital landscape?

These frameworks, designed to enhance cybersecurity best practices across multiple private and public sector organizations, establish a range of mandatory controls and threat mitigation strategies that enable various entities operating in this space to accelerate their cyber resilience.

As a member of the Cisco Talos Incident Response team, we often find ourselves operating within these frameworks as we collaborate with clients during various actions or proactively engage in services such as threat hunting, incident response, or security assessments.

This blog will explore the origins of pivotal legislation, examining the driving forces behind their creation and assessing their profound impact on the digital landscape.

State of Qatar

Qatar’s cybersecurity regulatory framework is comprised of laws, global standards, and technical guidelines situated within various cybersecurity frameworks, released across diverse strategic and business sectors. The National Cyber Security Agency (NCSA), responsible for overseeing cybersecurity policies, launched in 2021 to drive the development and implementation of cyber security regulations nationwide. Multiple legal frameworks cover the cybersecurity of IT systems and personal data, directly applicable to various cybercrime laws. In the State of Qatar, two pivotal legal frameworks hold significance.

The cornerstone regulation effectively criminalizes a range of cyber offenses, including unauthorized access, identity theft, and online fraud. The regulations outline specific punishments and provide detailed guidelines for conducting investigations related to these criminal offenses.
The Personal Data Protection Law (PDPL), enacted in 2016, empowers individuals to control their personal data by mandating organisations to obtain informed consent, implement robust safeguards, and respond promptly to data access requests. The regulation is bolstered by several provisions outlining the specific application of various control mechanisms, notification systems, and processes applicable when processing and acquiring private data. The National Cybersecurity Governance Act of America requires notifications to be sent to the NCGAA and impacted individuals within a timeframe of 72 hours upon discovering the knowledge breach, ensuring prompt action is taken in response to potential incidents.

While legal guidelines provide robust protection for various cybersecurity aspects affecting businesses and individuals, Qatar’s cybersecurity landscape also encompasses multiple frameworks and guidelines applicable nationwide. Three are described under:

The Nationwide Cybersecurity Technique (2014)

In 2014, Qatar’s authorities introduced a comprehensive strategy to protect its critical information infrastructure (CII), encompassing vital assets and identifying potential threats. The comprehensive strategy prioritizes five fundamental objectives, beginning with building protective measures for Critical Information Infrastructure (CII), and culminating in the establishment of authorized frameworks that foster a safer online environment. This initiative further encompasses methodologies designed to foster a collaborative environment focused on developing and nurturing national cybersecurity capacities. The overarching principle underlying this approach posits that cybersecurity is a collective responsibility, with various government agencies, organizations, and individuals converging to establish an environment that is inherently robust against cyber threats. The critical elements governed within this framework will be allocated between the responsibilities of the private and non-private sectors. The Qatari government outlines specific regulations, including those found in laws like the 1994 Labour Law and the 2006 Commercial Companies Law, which all individuals and organisations within the country are expected to adhere to. Alternatively, organisations can swiftly implement these techniques by leveraging a few key control pillars.

Vulnerability assessments, incident response plan creation, and threat management framework development are potential controls that can aid in achieving this pillar’s objectives, defining how threats are addressed within an organization and prescribing the necessary mitigation measures for critical infrastructure institutions.

Effective controls to mitigate the risks to critical infrastructure include implementing data sharing platforms, such as a risk intelligence alternative, empowering emergency response teams and establishing robust harm assessment protocols, thereby reducing the impact of widespread attacks on CII infrastructure.

Mechanisms for implementing the pillar’s objectives will involve developing cybersecurity education programs, talent acquisition strategies, and research collaborations that leverage cutting-edge cybersecurity frameworks and technologies to enhance organizational resilience.

Qatar Cybersecurity Framework (QCF) (2018)

Developed by the Supreme Committee for Supply & Legacy (SCDL) forward of the 2022 FIFA World Cup, the QCF gives a set of greatest practices and controls for organizations to reinforce their cybersecurity posture when . The company’s control systems conform to a diverse range of international standards, including ISO 13485, AS9100D, IEC 62304, and FDA QSR 21 CFR 820. The primary focus of this framework lies in addressing 14 distinct capabilities, ranging from setting up effective governance to implementing robust cloud-based safety controls.

Qatar 2022 Cybersecurity Framework diagram — What mechanisms facilitate the effective management and mitigation of cybersecurity risks in the context of the Qatar 2022 Cybersecurity Framework are numerous and multifaceted.

The framework necessitates a comprehensive threat management approach, encompassing technical controls that detect threats across various devices, such as laptops or servers, as outlined in requirement 3.2. Additionally, it demands capabilities to identify, audit, remediate, and test diverse security measures, including program hardening, risk minimization through internal frameworks and controls, and reliance on adequately trained personnel (requirements 4.2 and 5.2). Controls and evaluations vary across different domains, each featuring specific requirements for designing, deploying, managing, and maintaining effective control processes throughout an event’s lifecycle. In certain cases, specific components of a quality control framework (QCF) are correlated with existing controls that meet distinct demands similar to those found in or other relevant standards.

Nationwide Information Assurance Standard (NIAS), 2023.

The latest normal introduced various controls affecting technical, enterprise, and governance aspects of any organization operating within the State of Qatar, including third parties and subcontractors specifically mentioned in the scope (Part 2.2). Traditional emphasis centres on pivotal spheres resembling knowledge management, security, technological and team regulations. It prioritizes 4 key rules:

Ensuring exclusive access to authorized individuals through secure and reliable entry information.
Guaranteeing knowledge accuracy and completeness.
Making info accessible when wanted.
Holding people chargeable for cybersecurity.

The importance of categorizing and controlling sensitive information within a group cannot be overstated, as it necessitates not only proactive threat management but also robust security measures that are tailored to specific requirements. The renowned initiative successfully leverages its presence in 2023 to foster a harmonious relationship between information security and data categorization. Within every management set and area, there exists a dichotomy between obligatory and non-obligatory controls, fostering a degree of flexibility in their application across various groups. Not all feasible areas are necessarily pertinent, nor may they be applicable in their entirety, allowing for targeted utilization. Organizations can choose to apply the standard on a voluntary basis, although the Nationwide Cyber Safety Company also offers an assessment that evaluates compliance with the standard.

Nationwide Cyber Security Strategy (2024)

In 2024, the doc will build upon the existing framework established in 2014 by centralizing safety governance under the National Center for Safety Analytics (NCSA), fostering greater cohesion and consistency across the organization. The framework is governed by six fundamental principles, beginning with a shared sense of responsibility, where all parties are held accountable for their respective cybersecurity practices, and culminating in a focus on collaborative efforts and coordinated action among diverse stakeholders within Qatar’s cybersecurity landscape. Guiding principles inform five interconnected pillars of the framework, each aligned with specific strategic goals, while also establishing a robust cybersecurity infrastructure and promoting legal frameworks that foster innovation within a data-driven economy. Each pillar will be further broken down into specific objectives that provide actionable guidance to both personal and public entities seeking to enhance their cybersecurity posture through accreditations, education, research, development, and innovation. While some objectives focus on fostering local development, there is also a strong emphasis on establishing collaborative relationships with regional and global partners.

Kingdom of Saudi Arabia

In line with its digitization objectives, the Kingdom of Saudi Arabia has implemented various initiatives and frameworks aimed at ensuring the widespread adoption of cybersecurity solutions across multiple sectors. Cybersecurity and protection from digital threats are key objectives that certain establishments support in conjunction with the Kingdom’s e-government initiatives. In the Kingdom of Saudi Arabia, two crucial legal frameworks that shape governance and commerce are:

Saudi Arabia has enacted a pivotal law governing cybercrime, specifying penalties for offenses such as intellectual property theft, unauthorised access, cyber attacks, identity theft, and impersonation on a large scale.
The Personal Data Protection Law (PDPL) governs intellectual property rights regarding knowledge topics and confers the right to manage that knowledge, while also outlining the roles of information controllers, who access private data within the Kingdom of Saudi Arabia. As this regulation is relatively new, a transitional period allowing for compliance continues until September. As of January 14, 2024, knowledge controllers may need to adapt to the outlined requirements. The regulation confers diverse rights and obligations upon individuals, including the authority to initiate, rectify, erase, or prohibit the processing of personal data within a 72-hour timeframe.

As part of the National Cybersecurity Strategy, the Saudi Arabia-based Nationwide Cybersecurity Authority (NCA) was founded in 2017 to oversee and strengthen the country’s cybersecurity landscape, aiming to regulate the application and development of cybersecurity laws across the kingdom. The National Cyber Agency’s strategic positioning enables it to not only create authorized, coverage, and regulatory environments but also actively participate in and engage with regulated entities through assessments, information-sharing exchanges, and other relevant partnerships, fostering a collaborative approach to cybersecurity.

The National Committee for Assessment (NCA) in Saudi Arabia plays a pivotal role in evaluating and assessing the performance of educational institutions. Its primary responsibilities include? • Conducting annual assessments of private schools, ensuring compliance with educational standards and regulations; • Developing and implementing assessment frameworks for various levels of education, from kindergarten to university; • Monitoring and evaluating the effectiveness of educational programs and curricula, identifying areas of improvement and recommending necessary changes; • Providing guidance and support to educational institutions in developing their own assessment processes and tools; • Collaborating with other government agencies, such as the Ministry of Education, to develop policies and regulations governing education in Saudi Arabia. — A breakdown of NCA duties in KSA

The National Competition Authority (NCA) plays a pivotal role in driving growth and implementing diverse control mechanisms across various sectors in the Kingdom of Saudi Arabia (KSA). By streamlining numerous shared responsibilities into frameworks, it facilitates collaboration at multiple levels between both private and public entities.

Nationwide Cybersecurity Safety Techniques 2019

The ‘Guiding Principles’ constitutes a cornerstone technique outlining key rules for the Kingdom of Saudi Arabia to adhere to, thereby reinforcing the nation’s cybersecurity posture. The National Cyber Security Strategy’s primary goals are to establish a unified framework for cybersecurity oversight under the National Cyber Agency, foster a collaborative environment for sharing knowledge and conducting threat assessments, safeguard the nation against cyber attacks, and develop robust national and industry-wide cybersecurity capacities. The National Cybersecurity Strategy (NCSS) outlines the Kingdom’s approach to addressing the inevitability of cybersecurity incidents, providing clear guidelines on administrative oversight throughout the process.

Important Cybersecurity Controls (ECC) (2018)

Organizations operating throughout the Kingdom of Saudi Arabia must adhere to a set of core necessities, encompassing governance, compliance, and risk management frameworks that ensure the protection of employees, customers, and assets alike. These controls serve as a vital foundation for protecting critical infrastructure, government agencies, and private organizations from cyber threats and attacks. The five essential domains have a total of 114 uniquely distinct control measures in place.

Drives the institution of mechanisms that facilitate the widespread adoption of robust cybersecurity measures. The key controls deployed within this framework are:

Defining clear management roles and responsibilities for cybersecurity within an organization.
Ensure seamless execution of rigorous safety protocols harmoniously integrated with the organization’s strategic blueprint.
Ensuring timely support from qualified experts to develop concise protocols for managing cybersecurity threats, ensuring their effective implementation even under intense project management pressure.
Maintenance of regulatory conformity to current legislative frameworks.

Develops and implements safeguards to protect software and networks from illicit access, malicious code, and various other potential risks. Effective IT asset management starts with creating a comprehensive and up-to-date asset register, identifying vulnerable devices and ensuring transparent visibility into all systems under administration. These controls ensure the proper configuration, hardening, and segregation of identity-entry, mobile devices, perimeters, and network devices to guarantee optimal security. Additionally, while building technical safeguards, this document prioritizes considering process perspectives, outlining various requirements, such as data classification, incident response, and compliance with regulatory standards, detailing how each engagement should be executed.

Develops robust measures to swiftly recover from cyber attacks, minimizes disruptions to ongoing business activities, and ensures compliance with Enterprise Continuity Management (BCM) requirements by designing and implementing effective business continuity processes to safeguard against significant business disruptions.

Identifies potential risks and challenges arising from collaborating with external parties or cloud-based providers, highlighting the importance of ensuring robust security measures to mitigate these concerns. To enhance a corporation’s cybersecurity capabilities through third-party involvement, specific requirements must be met, including the need for non-disclosure agreement compliance, and third parties’ ability to adapt to organizational policies. While cloud computing is a crucial aspect in this sector, it necessitates the development of suitable insurance policies, categorization of data intended for upload to the cloud, and segregation of internal cloud environments from those of other tenants to ensure effective management. What ECC database necessitates archival of data related to the Kingdom of Saudi Arabia’s information?

Ensures controls alignment with industrial management programmes (ICS) and complex infrastructure requirements (CI), respectively. The Electrical Contracting Corporation’s customary regulations necessitate the establishment of a rigorously partitioned Industrial Control Systems environment, designed to be continually scrutinized for any signs of potential incidents or security breaches. To ensure the integrity of an Industrial Control Systems (ICS) deployment, it is essential to implement configuration and hardening procedures in conjunction with regular patching and vulnerability management processes, thereby upholding robust cybersecurity measures.

Cybersecurity Controls Important Methodologies (CCIM), 2019 Edition: A Framework for Effective Risk Management.

Is an expansion to the ECC platform providing additional guidance and support for organizations operating or implementing critical projects? To ensure compliance with the City’s Sustainability and Climate Change (CSCC) initiative, it is also crucial to meet the Environmental Conservation Commission’s (ECC) requirements in addition to those already necessary. Thirty-two distinct essential controls are employed across various domains, conforming to the standards of the Ecc Normal. To emphasize the importance of ensuring that controls deployed and configured in accordance with the Enterprise Control Committee (ECC), it is crucial to subject them to a thorough and rigorous testing process. This involves conducting routine evaluations of existing safety protocols and addressing any identified vulnerabilities to ensure a safer working environment. To ensure a robust cybersecurity posture, it is crucial to continuously test and validate the efficacy of implemented controls, aligning with ECC standards while incorporating additional layers of verification and control measures.

Cloud Cybersecurity Controls (CCC) (2020)

Equivalent to the Cloud Security Compliance Certificate, the Cloud Security Controls aim to establish a foundational set of minimal requirements for cloud service providers (CSPs) and cloud service tenants (CSTs) to ensure the security of data stored in the cloud. The framework categorizes controls into two distinct groups: those pertinent to cloud service providers and those applicable to cloud service subscribers. While some controls may share equivalencies, the framework’s ultimate objective necessitates that suppliers inform tenants of applicable cybersecurity measures pertinent to data stored on-site, and for tenants to maintain suitable insurance policies, evaluating and contracting with controls provided by CSP accordingly? Strict protocols must be established for controlling access to sensitive information, including thorough background checks, secure data storage and destruction procedures, as well as comprehensive insurance coverage and entry controls to protect cloud assets.

Sultanate of Oman

In 2010, the Sultanate of Oman initiated a proactive approach to cybersecurity by establishing the Oman Cybersecurity Emergency Response Team (OCERT), responsible for identifying and investigating cyber threats, while providing guidance to organisations in accordance with the latest national cybersecurity regulations and standards. In the Sultanate of Oman, where business acumen and professional expertise are highly valued across the entire economy? The two primary legal frameworks applicable in the Sultanate of Oman are:

Private Data Protection Legislation (PDPL) 2023

Enshrining individual autonomy by granting people exclusive rights to control their personal data, while simultaneously imposing regulatory obligations on organizations handling such information. Organizations must adopt robust software-driven knowledge safeguards in compliance with the PDPL, which entails obtaining informed consent, deploying effective security protocols, and expeditiously addressing knowledge access requests.

Cyber Crime Legislation (2011)

This legislation criminalizes the unauthorized access, alteration, or deletion of digital data, as well as a broad range of other cybercrimes, including fraud and privacy violations.

The following guidelines and specifications, primarily targeted at governing bodies and public institutions, are readily available in the Sultanate of Oman.

Fundamental Safety Controls (BSC) (2017)

The Control Requirements define the fundamental and critical safety controls that should be implemented across public sector organisations in Oman. Starting with entry-level management, the framework typically divides comprehensive cybersecurity governance into 12 primary management teams, providing overarching direction on how each domain should be leveraged. Safety management systems consistently outline the necessary steps for establishing, validating, and implementing procedures across the organization. When “Incident Administration” controls are discussed, the BSC outlines procedures for identifying, analyzing, responding to, and recovering from safety incidents, emphasizing documentation and mechanisms to safeguard confidentiality, integrity, and availability of information assets. The BCS framework outlines specific guidelines for use within each group.

Database Safety Customary (2020)

To guarantee primary minimal safety controls are applied for database programs and their users, comparable to CEOs, developers, and data administrators. The document details various safety measures, specifically related to database security, emphasizing the importance of separating responsibilities or permissions for diverse database users to prevent unrestricted access to the root account and enabling encryption during interactions with the database. Effective safety controls, mirroring those employed in knowledge classification, change administration, and audit processes, must also be implemented to ensure the secure operation of database servers.

Info Safety Administration Coverage (2019)

All stakeholders responsible for safeguarding sensitive information on behalf of the Sultanate of Oman, please adhere to the following comprehensive guidelines for ensuring the confidentiality and integrity of data, which are universally applicable to all entities. Establishment of a dedicated Information Safety Committee is necessitated to oversee data security across all government entities. The committee should ensure the effective oversight of both the event and implementation of a comprehensive safety program that is relevant to the entire group, incorporating specific measures such as threat management, knowledge classification, awareness training, incident response, and business continuity planning.

Cybersecurity Governance Pointers (2017)

This framework outlines an overview of diverse cybersecurity governance guidelines and mandates that regulated entities establish robust cybersecurity governance within their organizations. The framework provides guidance on establishing governance processes across the organisation, outlining six key steps that aim to identify current, desired, and future states of cybersecurity within government groups. The rules’ breakdown is as follows:

Organisations must identify crucial stakeholder groups, their needs, and expectations to ensure a tailored cybersecurity programme aligns with and supports the overall business objectives.
Establishes a clear roadmap by outlining the vision, legal foundation, goals, and aspirations for a comprehensive cybersecurity program, grounded in an in-depth comprehension of existing vulnerabilities and the prevailing cybersecurity culture within an organization.
Establishes a robust governance framework by defining roles and responsibilities through a RACI matrix, outlining insurance policies and requirements, and developing processes and procedures for future cyber security operations. This step further necessitates the active participation of a steering committee, whose role is to set the tone and direction for the cybersecurity transformation process.
This step involves identifying, evaluating, addressing, and tracking cyber threats while deploying mitigating controls and measures grounded in established risk tolerance guidelines.
Resources must be allocated and administered efficiently to support the cybersecurity program, ensuring available resources are aligned with expected outcomes and objectives.
The process involves assessing the performance and efficacy of a cybersecurity program by collecting data and metrics, while also providing key findings and recommendations to senior stakeholders through regular reports and presentations.

Companies in the cloud and internet hosting industries have historically utilized a range of customary practices and standards to ensure seamless collaboration with clients and peers.

Cloud and Internet Hosting Companies’ Customary Practices present a comprehensive outline of essential requirements for Cloud Service Providers. To an excessive extent, Cloud Service Providers must adapt to globally recognized security frameworks such as ISO 27001, ISO 27017, and ISO 27018, in addition to management matrices provided by the Cloud Security Alliance (CSA), particularly when offering payment processing options online. A crucial aspect of this framework focuses on the management, classification, and storage of knowledge within a cloud environment, as well as the provision of access to these settings. A comprehensive security program (CSP) may seek accreditation from a reputable “Third-Party Evaluation Group,” capable of auditing and verifying compliance with cybersecurity controls related to contingency planning, monitoring, and assessment outcomes.

The following legal frameworks and laws are pertinent to this discussion:

Data Protection Act 2018; General Data Protection Regulation (GDPR); Health Insurance Portability Accountability Act (HIPAA); Children’s Online Privacy Protection Act (COPPA); Federal Trade Commission (FTC) guidelines on online privacy; Electronic Communications Privacy Act (ECPA).

To better illustrate how each nation develops and implements its own unique approach to cybersecurity laws, a comprehensive framework was crafted by drawing upon existing regulatory guidelines, standards, and best practices at the time of writing this blog.


Cybercrime Prevention Act 2012 and Private Information Protection Act 2015	Legislation to Combat Cybercrime (2007) and Enhanced Private Data Protection Act (2023)	Cybersecurity Legislation (2019) Private Data Protection Act (2023)
The United States’ Nationwide Cyber Security Strategy (2014)	Nationwide Cybersecurity Technique (2019)	N/A
Qatar Cybersecurity Framework (QCF), 2018 Nationwide Information Assurance Customary (NIAS), 2023: Establishes guidelines for securing information across Qatar. Nationwide Information Classification and Coverage, 2023: Outlines standards for classifying and protecting sensitive data.	Cybersecurity Control Frameworks: A Chronological Evolution (2018) ECC: Established Cybersecurity Controls (2019) CSCC: Enhanced Cybersecurity Controls and Methods (2020) CCC: Comprehensive Cloud Cybersecurity Controls	Cybersecurity Governance Principles 2017, Fundamentals of Information Security Control Framework 2017, Information Security Management Standardization 2019, Cloud and Internet Services Provider Best Practices 2019, Database Security Guidelines 2020.
Nationwide Cyber Safety Company	Nationwide Cybersecurity Authority	Cyber Defense Center Ministry of Transport, Communications, and Information Technology

Conclusion

While individual nations developed their unique flavors of cybersecurity measures, scattered across various regulations, frameworks, and guidelines, some shared themes emerge across the countries discussed in this blog post:

While each nation develops its unique approach to cybersecurity, a common foundation is formed by adherence to three fundamental principles: maintaining the confidentiality of sensitive information, ensuring the integrity of data and systems, and guaranteeing availability for authorized access. Regardless of nationality, a common thread is discernible in regulations and frameworks governing various sectors across nations.
The scope of safety controls that each group should establish can depend significantly on the level of risk associated with the vertical in which they operate? While organisations exposed to sensitive industry sectors like healthcare or critical infrastructure (CI) may require distinct cybersecurity requirements, the majority of frameworks focus on identifying and mitigating potential cybersecurity risks. Cybersecurity is an ongoing endeavour that requires constant vigilance, as knowledge and best practices are continually evolving; consequently, it’s essential to sustainably uphold them through regular testing and assessments.
Despite robust defenses in place, cyber attacks can still occur. In light of this reality, numerous specifications and frameworks demand the implementation of technological safeguards such as firewalls, endpoint controls, visibility enhancements, and encryption measures. Several organisational measures will be implemented to ensure a seamless transition, mirroring our commitment to safety. It’s rare to find a one-size-fits-all approach effective in crafting decent response procedures; thus, most frameworks focus on identifying vulnerabilities and creating customized processes that align with an organization’s rules to provide cybersecurity for its clients and customers. That’s where Talos Incident Response can effectively coordinate efforts to tailor solutions that conform to local regulations and compliance requirements.
Proactive threat management, often expected by regulatory frameworks and standards, involves a concerted effort to identify, assess, mitigate, and monitor potential threats and vulnerabilities in order to ensure the security of an organization’s assets. Cybersecurity is no longer a matter of passively fortifying defenses and relying on luck; it demands proactive vigilance, a keen sense of the ever-changing threat landscape, and purposeful actions to mitigate the impact of potential attacks.
Some frameworks anchor their fundamental principles and approach in global standards such as ISO 27001 or NIST, thereby establishing a foundation for subsequent controls to be built upon. When applying additional security measures to a corporation that has already implemented primary NIST controls or is compliant with ISO 27001, the process can often be significantly simplified and streamlined.