INTERNET SECURITY

Introduction to Internet security standards

By Ron Herardian

As businesses move to take advantage of collaborative computing and electronic commerce on the Internet, data security has been
a growing area of interest. Although there are undoubtedly more data security related products and services available today than
ever before there are also more security related incidents each year. The rapid growth of the Internet and the constant
introduction of new technologies, while creating new opportunities for businesses, also create new opportunities for hackers.

For the Internet, security was an afterthought. It is often said that the Internet was not designed with security in mind. The
Internet is composed of many different technologies and is inherently open. Openness was one of the design goals behind basic
Internet technologies like TCP/IP, which is a hardware and network independent protocol. While this enables any computer or
network to be connected to the Internet it also makes it easy for hackers to attempt break-ins while at the same time making
them hard to trace.

The rise in the complexity and diversity of the Internet has caused the need for security expertise to exceed the supply. As a
result, inexperienced technical staff often implement security measures that are vulnerable to hackers.

On the Internet, hackers don't always need to break in to access confidential information since much of the traffic on the Internet
is not encrypted. Encryption has been a growing area of activity in the past few years and today intranets, extranets, and email all
involve some type of security. Developing Internet standards have come to drive security technology.

The purpose of this article is to familiarize you with the basic Internet security technologies. Over the next few months we'll look at
Domino's historical security model and contrast this with the emerging Internet standards-bases security technologies that will be
integrated into Domino 5.0 and beyond.

Encryption
The best place to start is with encryption. Encryption means that information is scrambled so that only authorized people or
systems can understand it. Understanding encrypted information requires decrypting it. For example, substituting numbers for
letters is a primitive form or encryption. To decrypt the information you have to know what numbers represent what letters. In this
example, the mapping of letters to numbers is a simple an encryption key used to guarantee the privacy of information.

An encryption key is information (a string of alphanumeric characters) that is used to encode or decode information. The
difficulty lies in telling people who need to decrypt information what the encryption key is. The most secure way of handling
this is to use a public encryption key to encode information in such a way that only a different, private encryption key can
decode it. In other words if I send a note to you, I encrypt it with your public key which is available to everyone but only
you can decrypt the note using your private key. This is called Public Key encryption. Public Key encryption is good because
public keys can be made available over the Internet and through directory services.

Deploying and managing public and private keys requires a framework for managing security information. Such a
framework is called Public Key Infrastructure or PKI. For several years Domino was practically the only messaging and
groupware system providing a PKI and PKI management tools, but it was implemented with proprietary RSA technology.
The Notes ID with which all Notes administrators are familiar is actually a form of digital certificate containing public and
private encryption keys. The most popular implementation of Public Key encryption for email is Secure Multipurpose
Internet Mail Extensions or S/MIME.

S/MIME provides end-to-end Public Key encryption for email messages. A message encrypted by the sender can only be
decrypted by the recipient. At no time during the transmission or routing of the message is the message stored
unencrypted nor does any user or administrator have access to the content of the message. Through digital signatures,
S/MIME also provides sender authentication and tamper detection.

Today, Internet standards-based security technologies dominate the market. Vendors which had previously lacked a
security model equivalent to that of Domino have now implemented similar security models using Inter standards-based
technologies. At the same time, competition is taking shape around the business of providing enterprise (intranet) and
inter-enterprise (extranet) PKI management facilities. In a sense Domino has a head start but Lotus faces the challenge of
integrating Internet standards-based security technology with its existing security model.

Digital certificates
Digital certificates are widely used for Internet applications and I mentioned that the Notes ID is a proprietary form of
digital certificate. The Internet standard for digital certificates is X.509. Like the Notes ID, the X.509 certificate contains a
user's public and private keys. Certificates are used in several ways including Public Key encryption, digital signature (a way
of verifying the originator of information), and to establish trust between applications or organizations based on the issuer
of the certificate (the Certificate Authority or CA). A certification authority (CA) is a trusted third party authorized to issue
digital certificates.

A certificate consists of a public key signed by a trusted third party or Certificate Authority. Certificates make it possible for
different users to trust one another's public keys. X.509 certificates are an electronic credential like a government-issued ID
or passport. A certificate can be used to access an intranet or extranet application. For example, in order to log in to a
system a client application such as a web browser presents the user's certificate to the system and uses it for
authentication and access control. Information for external users, such as a business partner, can be made available to
users whose certificates were issued by the organization for that purpose.

Certificates can be revoked or they may expire. Key escrow entrusts certificates to the third party so that an organization can
retrieve information that may have been encrypted maliciously.

Secure sockets layer

On the web, the most popular type of encryption is the Secure Sockets Layer (SSL) which encrypts data within the TCP/IP protocol.
Published by Netscape Communications, SSL provides secure web client and server communications including encryption,
authentication, integrity checking for a TCP/IP connection.

Conventional intranet and extranet applications typically use a combination of security mechanisms that include:

• Encryption
• Authentication
• Access Control

Authentication means there is a mechanism in place to verify that an entity accessing information is permitted to do so. The best
example is a login ID and password but there are other types of authentication. One example is verifying the network address of a
connecting host. Authentication is like a gate. Once a user passes through the gate there are secondary controls (Domino Access
Control Lists or ACLs) that determine what information may be accessed or manipulated.

In summary, encryption applies to the connection or transport (such as SSL) or to other data (S/MIME for email). A document or
application may be digitally signed to prove the identity of the originator. X.509 certificates provide Public Key encryption and
digital signatures just as the Notes ID does within the proprietary Notes and Domino security model. Authentication provides a
gate through which only authorized users may pass and access controls determine what information may be accessed or
manipulated by a given user.

Playing a key role in the proliferation of PKIs is the Lightweight Directory Access Protocol (LDAP). LDAP directories are used to
provide a facility for access to the Public Keys of users and to store access control information. The Domino Name and Address
Book (NAB) is accessible through LDAP. In coming version we can expect to see tighter integration of the Domino NAB with LDAP
and integration of X.509 certificates with existing Domino PKI. Since Domino provides a complete PKI management solution
extending this technology to fully embrace Internet security standards is a natural step.

Ensuring Our Safety and Security through Information Security

Building a safe and secure society: a pressing need for today. To respond more effectively to security needs in business
and daily life, Hitachi launched the "Hitachi Security Project" in April 2005, offering comprehensive security solutions from
the three perspectives of "business information," "daily living," and "a safe society."

Ensuring Safety and Security of Information

ATM equipped with finger vein authentication unit.
Leakage of personal and sensitive information is a serious social issue today. To enable real protection, securing
information systems alone is not enough. A total approach is needed addressing from "where," "who," and "how" to
handle information to document disposal. Given the huge volumes of information and funds being transferred over
networks, technologies for highly reliable user authentication are of critical importance. For this, Hitachi has developed a
biometric authentication system called the "finger vein authentication system" that reads the unique vein patterns in one's
finger using near-infrared light. Because this system uses characteristics hidden inside the body, it is difficult to forge and
more secure than fingerprint, face, and voice authentication. This new technology is already widely in use in entrance
control and automated teller machines (ATMs).
Hitachi has also developed a diskless "security PC" to prevent leakage of information from a lost or stolen computer.
Security PCs are being deployed within Hitachi under our information security policy. Other technologies developed by
Hitachi include encryption systems for data protection, and "digital watermark print solution" to prevent reproduction and
duplication of documents.
The Hitachi Group will continue to put all of its resources to work in helping build a safe and secure society.
Hitachi's Safety and Security Solutions

Introduction
1.1 Background
Today more than ever before, governments operate in an environment of
evolving risk. The world as a whole is more connected; unexpected events are
more likely to happen; and attacks on infrastructures, networks, and systems
have become increasingly more sophisticated. The Abu Dhabi Government has
begun to aggressively develop and facilitate the electronic delivery of its
services through a new e-Government programme—but this move, while
essential, compounds these risks by exposing the Government to technology-
driven threats and infrastructure vulnerabilities and allowing intentional and
unintentional access to sensitive information. A risk-based approach to
information security must now be adopted.

1.2 Purpose

The Information Security Programme goes beyond the traditional view of

information technology to ensure that sensitive Government information is
protected throughout its lifecycle within a service as well as within the
automated systems where data is processed. Abu Dhabi recognises the
importance of developing this programme to be coordinated and integrated with
the related assurance disciplines of physical and personnel security, business
continuity, and cross-functional risk management, and understands the need for
it to provide both assurance and security for Government missions. All of these
areas are included in the Information Security Programme, with activities to
ensure their integration under a mission assurance umbrella.

1.1 Background
Today more than ever before, governments operate in an environment of
evolving risk. The world as a whole is more connected; unexpected events are
more likely to happen; and attacks on infrastructures, networks, and systems
have become increasingly more sophisticated. The Abu Dhabi Government has
begun to aggressively develop and facilitate the electronic delivery of its
services through a new e-Government programme—but this move, while
essential, compounds these risks by exposing the Government to technology-
driven threats and infrastructure vulnerabilities and allowing intentional and
unintentional access to sensitive information. A risk-based approach to
information security must now be adopted.

1.2 Purpose
The Information Security Programme goes beyond the traditional view of
information technology to ensure that sensitive Government information is
protected throughout its lifecycle within a service as well as within the
automated systems where data is processed. Abu Dhabi recognises the
importance of developing this programme to be coordinated and integrated with
the related assurance disciplines of physical and personnel security, business
continuity, and cross-functional risk management, and understands the need for
it to provide both assurance and security for Government missions. All of these
areas are included in the Information Security Programme, with activities to
ensure their integration under a mission assurance umbrella.

2 Overview of the Project

2.1 Project Structure

The Information Security Programme provides a holistic approach to enhancing

information security for the Abu Dhabi Government, with "information
security" defined as the protection of information from a wide range of threats.
It features controls (also referred to as "countermeasures" or "safeguards") that
secure information in the areas of confidentiality (preserving authorised
restrictions on information access and disclosure, including means for
protecting personal privacy and proprietary information), integrity (guarding
against improper information modification or destruction, and ensuring
information non-repudiation and authenticity), and availability (ensuring
timely, reliable access to, and use of, information).

2.2 Project Principles

The Information Security Programme is part of

ADSIC’s activities to modernise the services and capabilities of the Abu Dhabi
Government. Its vision, goals, and policy statements were based on relevant
best practices from around the world that included ISO/IEC (International
Organisation for Standardisation/International Electrotechnical
Commission) 27001 and 27002, now tailored to fit the specific requirements of
the Abu Dhabi Government. This has resulted in a comprehensive set of
information security management and functional processes to ensure effective
implementation—as illustrated in above figure.
2.3 Project Components

The Abu Dhabi Information Security Policy

establishes overall direction for the Government-wide Information Security
Programme and its roles and responsibilities. Endorsed by the Executive
Council, it sets the Programme’s scope and boundaries and establishes uniform
roles and responsibilities for pan-Government ADGEs. The Information
Security Policy also establishes polices across 14 management and functional
information security processes, and includes a glossary of key programmatic
terms.

2.3.1 Information Security Policy

The Abu Dhabi Information Security Policy establishes overall direction for the
Government-wide Information Security Programme and its roles and
responsibilities. Endorsed by the Executive Council, it sets the Programme’s
scope and boundaries and establishes uniform roles and responsibilities for pan-
Government ADGEs. The Information Security Policy also establishes polices
across 14 management and functional information security processes, and
includes a glossary of key programmatic terms.

2.3.2 Information Security Standards

Supporting the Information Security Policy is the Information Security

Standards document, which provides the controls necessary to meet the
Programme’s management and functional policies. Set by ADSIC, this
standardisation is key to achieving a risk-based approach to information
security. Using such standardised controls allows the Abu Dhabi Government
to create an environment of trust across the Government and its citizens and
business partners, where every stakeholder secures its operations through
consistent terminology, uniform controls, and similar risk-based decision
criteria.

The controls in the Information Security Standards document relate to 51

control objectives that serve to identify the unique targets states for each of the
14 policies. These objectives constitute the major initiatives of the Information
Security Programme, and are aligned with ISO 27002. Control standards define
the specific activities that should occur during application of each information
security control objective, such as Access Control, Passwords, Configuration
Management, Cryptographic Policies, etc.

The Information Security Standards document should be used throughout the

lifecycle of an individual ADGE’s risk management efforts. This will ensure a
transparent methodology where each ADGE knows the security standards it is
required to meet.

2.3.3 Procedural and Functional Guides

To ensure consistency and ease in implementation, ADSIC has also developed

a series of procedural and functional guides for ADGE use. These guides
provide detailed instructions on how to implement management and functional
control processes.

Procedural Guides

• Abu Dhabi Risk Management Guide

• Abu Dhabi Risk Assessment Guide
• Abu Dhabi Information Security Planning Guide
• Abu Dhabi Security Testing & Evaluation Guide
• Abu Dhabi Certification & Accreditation Guide

Functional Guides

• Abu Dhabi Information Security Technical Testing Guide

• Abu Dhabi Policies and Procedures Guide

In the future, ADSIC expects to provide additional procedural (e.g., Incident

Management, Personnel Screening) and technical (e.g., Firewall Configuration
and Management, Virus Protection) guidance as well.

2.4 Risk Management

The Risk Management process plays an important role in the Information

Security Programme, serving as a mechanism that allows Abu Dhabi
Government Entities (ADGE) to effectively protect Government information
commensurate with the risk and magnitude of harm that could result from its
loss, misuse, unauthorised access, or modification. By implementing
appropriate security controls, this process will provide ADGE information
systems with an acceptable level of protection from vulnerabilities and threats.
ADSIC has designed the Risk Management process to safeguard not only the
ADGE’s information technology assets, but also its organisation and business
processes. It includes both management and functional controls, and can be
broken down into the four distinct phases—Risk Assessment, Information
Security Planning, ST&E, and C&A—mentioned previously. Each phase has
its own ADSIC process guide.

2.4.1 Risk Assessment

The Risk Assessment phase—a sub-process of Risk Management to be adopted

by ADGEs—is Step 1 of the four-step Risk Management process. It is critical,
because it establishes a foundation for the phases that follow by allowing the
ADGE to identify risk and analyse its impact. Six steps are involved in this
sub-process— Determine Scope of the Assessment; Identify and Characterise
Assets; Assess Impact, Identify Threats; Identify Vulnerabilities; and
Determine Risk.

2.4.2 Information Security Planning

Information Security Planning—Step 2 of the Risk Management process—is

where the ADGE formulates a plan on the best way to reduce identified risks
and follows it up with a course of action. Methods of treatment can include
reduction, avoidance, transference, or acceptance. The ADSIC Information
Security Standards document can be used to determine appropriate controls for
a specific risk profile, and the ST&E Guide should be used to help ascertain
whether risks have been properly treated.

2.4.3 Security Testing and Evaluation

ST&E is conducted to verify and validate that security controls have been
implemented as documented in the Information Security Plan. This is Step 3 of
the Risk Management process, and can be conducted by either an internal test
team or an external party depending upon the classification of the system being
assessed. Systems categorised as HIGH or MODERATE must follow an
Independent Verification and Validation method of assessing controls, which
requires testing to be conducted by an independent party. ST&E for systems
categorised as LOW may be handled by a team from within the ADGE. The
ST&E phase produces a report that details findings from the test and
subsequent evaluation—this will be used to objectively determine the security
exposure of the ADGE’s information system as it identifies need for additional
controls to be implemented and current controls to be strengthened.
2.4.4 Certification and Accreditation

C&A, the means by which ADGEs obtain endorsement on the effectiveness of

their overall Risk Management process, is the fourth and final step of the Risk
Management process. Here, certification results are submitted to the
Designated Approving Authority (DAA), who makes a decision for
accreditation—the formal acceptance of residual risk. Parties responsible for
certification depend upon the classification of the system being assessed.

An ADGE must continue to follow the Risk Management process to maintain

its C&A status—this provides an incentive for Risk Management to become an
ongoing process rather than a one-time event. Information systems are
regularly assessed to identify new and emerging vulnerabilities through
continuous monitoring, with senior ADGE officials receiving notification when
major changes occur or vulnerabilities emerge. The most common method used
to keep track of new technical vulnerabilities during this phase is periodic (e.g.,
quarterly) vulnerability scanning.

ADGEs should begin implementing the Risk Management process for their
systems during the design phase, and establish a C&A plan prior to the system
going live. While the recommended method is to implement the Information
Security Programme’s 14 information security processes from the beginning
and moving down the list, these processes do not necessarily have to be
implemented in order.

2.5 Going Forward

ADSIC’s role in going forward is to guide and assist the ADGEs as they
implement the Abu Dhabi Information Security Programme. As it continues the
process of fully building out the Programme, ADSIC will provide the ADGEs
with additional guidance and offer training on the Risk Management process on
a periodic basis.

ADSIC will also be building out other pan-Governmental management

processes, including Performance Management, Outreach and
Communications, and a full-scope Awareness and Training programme. As
these new capabilities are developed, ADSIC will reach out to the ADGEs and
provide guidance/facilitate awareness as appropriate.

2.1 Project Structure

The Information Security Programme provides a holistic approach to enhancing
information security for the Abu Dhabi Government, with "information
security" defined as the protection of information from a wide range of threats.
It features controls (also referred to as "countermeasures" or "safeguards") that
secure information in the areas of confidentiality (preserving authorised
restrictions on information access and disclosure, including means for
protecting personal privacy and proprietary information), integrity (guarding
against improper information modification or destruction, and ensuring
information non-repudiation and authenticity), and availability (ensuring
timely, reliable access to, and use of, information).

2.2 Project Principles

The Information Security Programme is part of

ADSIC’s activities to modernise the services and capabilities of the Abu Dhabi
Government. Its vision, goals, and policy statements were based on relevant
best practices from around the world that included ISO/IEC (International
Organisation for Standardisation/International Electrotechnical
Commission) 27001 and 27002, now tailored to fit the specific requirements of
the Abu Dhabi Government. This has resulted in a comprehensive set of
information security management and functional processes to ensure effective
implementation—as illustrated in above figure.

2.3 Project Components

The Abu Dhabi Information Security Policy

establishes overall direction for the Government-wide Information Security
Programme and its roles and responsibilities. Endorsed by the Executive
Council, it sets the Programme’s scope and boundaries and establishes uniform
roles and responsibilities for pan-Government ADGEs. The Information
Security Policy also establishes polices across 14 management and functional
information security processes, and includes a glossary of key programmatic
terms.

2.3.1 Information Security Policy

The Abu Dhabi Information Security Policy establishes overall direction for the
Government-wide Information Security Programme and its roles and
responsibilities. Endorsed by the Executive Council, it sets the Programme’s
scope and boundaries and establishes uniform roles and responsibilities for pan-
Government ADGEs. The Information Security Policy also establishes polices
across 14 management and functional information security processes, and
includes a glossary of key programmatic terms.

2.3.2 Information Security Standards

Supporting the Information Security Policy is the Information Security

Standards document, which provides the controls necessary to meet the
Programme’s management and functional policies. Set by ADSIC, this
standardisation is key to achieving a risk-based approach to information
security. Using such standardised controls allows the Abu Dhabi Government
to create an environment of trust across the Government and its citizens and
business partners, where every stakeholder secures its operations through
consistent terminology, uniform controls, and similar risk-based decision
criteria.

The controls in the Information Security Standards document relate to 51

control objectives that serve to identify the unique targets states for each of the
14 policies. These objectives constitute the major initiatives of the Information
Security Programme, and are aligned with ISO 27002. Control standards define
the specific activities that should occur during application of each information
security control objective, such as Access Control, Passwords, Configuration
Management, Cryptographic Policies, etc.

The Information Security Standards document should be used throughout the

lifecycle of an individual ADGE’s risk management efforts. This will ensure a
transparent methodology where each ADGE knows the security standards it is
required to meet.

2.3.3 Procedural and Functional Guides

To ensure consistency and ease in implementation, ADSIC has also developed

a series of procedural and functional guides for ADGE use. These guides
provide detailed instructions on how to implement management and functional
control processes.

Procedural Guides

• Abu Dhabi Risk Management Guide

• Abu Dhabi Risk Assessment Guide
• Abu Dhabi Information Security Planning Guide
• Abu Dhabi Security Testing & Evaluation Guide
• Abu Dhabi Certification & Accreditation Guide

Functional Guides

• Abu Dhabi Information Security Technical Testing Guide

• Abu Dhabi Policies and Procedures Guide

In the future, ADSIC expects to provide additional procedural (e.g., Incident

Management, Personnel Screening) and technical (e.g., Firewall Configuration
and Management, Virus Protection) guidance as well.

2.4 Risk Management

The Risk Management process plays an important role in the Information
Security Programme, serving as a mechanism that allows Abu Dhabi
Government Entities (ADGE) to effectively protect Government information
commensurate with the risk and magnitude of harm that could result from its
loss, misuse, unauthorised access, or modification. By implementing
appropriate security controls, this process will provide ADGE information
systems with an acceptable level of protection from vulnerabilities and threats.

ADSIC has designed the Risk Management process to safeguard not only the
ADGE’s information technology assets, but also its organisation and business
processes. It includes both management and functional controls, and can be
broken down into the four distinct phases—Risk Assessment, Information
Security Planning, ST&E, and C&A—mentioned previously. Each phase has
its own ADSIC process guide.

2.4.1 Risk Assessment

The Risk Assessment phase—a sub-process of Risk Management to be adopted

by ADGEs—is Step 1 of the four-step Risk Management process. It is critical,
because it establishes a foundation for the phases that follow by allowing the
ADGE to identify risk and analyse its impact. Six steps are involved in this
sub-process— Determine Scope of the Assessment; Identify and Characterise
Assets; Assess Impact, Identify Threats; Identify Vulnerabilities; and
Determine Risk.

2.4.2 Information Security Planning

Information Security Planning—Step 2 of the Risk Management process—is

where the ADGE formulates a plan on the best way to reduce identified risks
and follows it up with a course of action. Methods of treatment can include
reduction, avoidance, transference, or acceptance. The ADSIC Information
Security Standards document can be used to determine appropriate controls for
a specific risk profile, and the ST&E Guide should be used to help ascertain
whether risks have been properly treated.

2.4.3 Security Testing and Evaluation

ST&E is conducted to verify and validate that security controls have been
implemented as documented in the Information Security Plan. This is Step 3 of
the Risk Management process, and can be conducted by either an internal test
team or an external party depending upon the classification of the system being
assessed. Systems categorised as HIGH or MODERATE must follow an
Independent Verification and Validation method of assessing controls, which
requires testing to be conducted by an independent party. ST&E for systems
categorised as LOW may be handled by a team from within the ADGE. The
ST&E phase produces a report that details findings from the test and
subsequent evaluation—this will be used to objectively determine the security
exposure of the ADGE’s information system as it identifies need for additional
controls to be implemented and current controls to be strengthened.

2.4.4 Certification and Accreditation

C&A, the means by which ADGEs obtain endorsement on the effectiveness of

their overall Risk Management process, is the fourth and final step of the Risk
Management process. Here, certification results are submitted to the
Designated Approving Authority (DAA), who makes a decision for
accreditation—the formal acceptance of residual risk. Parties responsible for
certification depend upon the classification of the system being assessed.

An ADGE must continue to follow the Risk Management process to maintain

its C&A status—this provides an incentive for Risk Management to become an
ongoing process rather than a one-time event. Information systems are
regularly assessed to identify new and emerging vulnerabilities through
continuous monitoring, with senior ADGE officials receiving notification when
major changes occur or vulnerabilities emerge. The most common method used
to keep track of new technical vulnerabilities during this phase is periodic (e.g.,
quarterly) vulnerability scanning.

ADGEs should begin implementing the Risk Management process for their
systems during the design phase, and establish a C&A plan prior to the system
going live. While the recommended method is to implement the Information
Security Programme’s 14 information security processes from the beginning
and moving down the list, these processes do not necessarily have to be
implemented in order.

2.5 Going Forward

ADSIC’s role in going forward is to guide and assist the ADGEs as they
implement the Abu Dhabi Information Security Programme. As it continues the
process of fully building out the Programme, ADSIC will provide the ADGEs
with additional guidance and offer training on the Risk Management process on
a periodic basis.

ADSIC will also be building out other pan-Governmental management

processes, including Performance Management, Outreach and
Communications, and a full-scope Awareness and Training programme. As
these new capabilities are developed, ADSIC will reach out to the ADGEs and
provide guidance/facilitate awareness as appropriate.

3 Relevance and Benefits for ADGEs

ADGEs can expect many benefits as a result of the Information Security
Programme. The first is a cultural shift away from a "fire-fighting" and "crisis
management" mentality to making decisions that can prevent problems before
they occur. Through successful implementation of the Risk Management
process, ADGEs will be able to anticipate what might go wrong—and the
management of risks will become an integral part of their overall programme
management, similar to user management or hardware maintenance.

ADGEs are encouraged to refer to the initial ADSIC guides to familiarise

themselves with the goals and objectives of the Programme, and to reach out to
ADSIC as necessary to schedule a programme overview and any topic-specific
training that might be required. Because it is anticipated that ADGEs will
outsource some of their security needs, guidance on how to effectively select
support and properly maintain Government involvement in security
programmes will be made available as well.

All ADGEs, as outlined in the Abu Dhabi Information Security Policy, are
required to comply with the Information Security Standards. Implementation of
security controls can be fully effective only when all stakeholders understand
the consequences of not securing Government information.