Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

NIA Executive Summary

by Cesar Navas
November 19, 2020

NIA Executive Summary

The National Information Assurance (NIA) Policy v2.0 is associated with the State of Qatar’s Ministry of Transport and Communications (MOTC). This policy was developed to help the organization in the State of Qatar enable a full-fledged information security management system within their agency. The organization needs to show compliance with the NIA Policy v2.0 through an annual audit by a certification body. This policy includes a series of security governances and technical controls, grouped into security domains that cover control areas that an agency needs to implement as baseline security to be compliant with the NIA Policy and in accordance with the NIA Manual. This dashboard will enable the executive team to gauge the compliance of the NIA Policy in relation within their organization.

Tenable.sc can identify compliance checks that relate to these technical controls. The date presented to the CISO provides an understanding of which security domains require attention or which are compliant. The combination of Vulnerability Priority Rating (VPR), Service Level Agreements (SLA), and compliance components allows the viewer to examine the state of NIA implementation and track risk mitigation efforts. The CISO uses this dashboard to brief the executive team and prepare for the NIA auditors. 

The NIA Manual provides, baseline controls which an organization should implement at minimum, to protect their information system. The security controls are grouped into the following domains: 

  • Access Control Security [AM]
  • Cryptographic Security [CY]
  • Gateway Security [GS]
  • Information Exchange [IE]
  • Logging, Auditing & Security Monitoring [SM]
  • Network Security [NS]
  • Product Security [PR]
  • Software Security [SS]
  • System Usage Security [SU]
  • Virtualization [VL]

According to section 2 of the NIA Policy v2.0 Overview chapter, Agencies conforming to the NIA manual may implement over and above the baseline. In case NIA controls intersect with other laws and regulations, such as Center for Internet Security (CIS) or the NIST Cybersecurity Framework, the organization must consider compliance to both or whichever is providing higher degree of security. 

The dashboard is grouped with 3 areas of focus; NIA compliance, SLA progression, and VPR summary.

By tracking system hardening efforts over time, and current configuration stats, the CISO can understand how best practices are being implemented.  The VPR components shows risk reduction tasks that will reduce the most prevalent risks seen in the wild. The SLA components allow the executive team the ability to monitor progress in the wider vulnerability management arena. This dashboard can serve as a quick glance summary of NIA compliance and the overall state of vulnerability within the organization. Using this dashboard, the CISO is provided with the required data that is needed to prove compliance. 

The dashboard and its components are available in the Tenable.sc Feed, a comprehensive collection of dashboards, reports, assurance report cards and assets. The dashboard can be easily located in the Tenable.sc Feed under the category Compliance & Configuration Assessment.

The dashboard requirements are:

  • Tenable.sc 5.14.1
  • Nessus 8.10.1
  • Compliance data

Tenable.sc Continuous View (CV) is the market-defining On-Prem Cyber Exposure Platform. Tenable.sc CV provide the ability to continuously Assess an organization’s adherence to best practice configuration baselines. Tenable.sc provides customers with a full and complete Cyber Exposure platform for completing an effective Information Security Management System program prescribed by the NIA standard.

Components 

NIA Compliance Checks Overview: This component presents the results of compliance audits to verify secure system configurations. There are two rows, one for compliance checks specific to NIAv2 and one for all compliance checks. Each row includes the system count, whether scans were performed in the last 7 days, and the percentage of checks that passed, failed, or require manual verification. Passed checks are displayed in green, failed checks are in red, and checks that require manual verification are in orange. 

NIA Network Mapping – Breakdown of Devices Detected on Network: This matrix presents a breakdown of detected network systems by type. A purple indicator denotes that systems of that type were detected; clicking on the indicator will bring up information on each of the detected systems, including IP address and MAC address. This information assists an organization in maintaining an accurate inventory and detecting any unauthorized systems.  

VPR Summary – Highlighted Patches (VPR 7.0 – 10): The component uses the High and Critical VPR levels (VPR 7.0 - 10) combined with the remediation summary tool to provide a focused view of patches that should be considered at a higher priority than other patches.  The tool provides a list of patches to apply, the amount of risk reduced (based on vulnerability weight score), hosts affected, and percentage of vulnerabilities.

VPR Summary – First Discovered Vulnerabilities: This component provides organizations with a view of vulnerabilities over a period of time.  The columns are grouped using the VPR score levels, ranging from least risk to the greatest risk.  Each row uses the Vulnerability First discovered filter to track when a risk first appeared on the network. The rows progress from the current month, last month, current quarter, last quarter, to vulnerabilities first discovered over 180 days ago.  Most SLA’s allow for the vulnerability to exist on the network for 30 days, due to a standard 30-day patch cycle.  Organizations can modify this matrix to support the SLA as defined by their risk management officer.

VPR Summary – Mitigated Vulnerabilities: This component provides organizations with a view of vulnerabilities that have been mitigated, showing progress towards risk management SLA’s.  The columns are grouped using the VPR score levels, ranging from least risk to the greatest risk.  Each row uses the Vulnerability Mitigated filter to track when a risk first appeared on the network.  The rows progress from the current month, last month, current quarter, last quarter, to vulnerabilities first discovered over 180 days ago.  Most SLA’s allow for the vulnerability to exist on the network for 30 days, due to a standard patch cycle.  Organizations can modify this matrix to support the SLA as defined by their risk management officer.

SLA Progress – Unmitigated VulnerabilitiesThe matrix provides a summary of vulnerabilities based on the CVSS score and the SLA of 30, 60, 90 days.  Each of the three rows are based on the CVSS severity from Medium to Critical.  The three columns illustrate the count of vulnerabilities across all systems.  To provide more focus to an asset group, the component can be installed with focus option set accordingly.  The black cells are the count of vulnerabilities, with green meaning newly discovered and are within the prescribed SLA, while the red count are vulnerabilities that have been detected on the network for more than the allotted mitigation time.

NIA Compliance Summary – 25 Day Trend:  This component provides a 25-day trend analysis for all NIA compliance checks. The data points are calculated using the 'Days Since Observation' set to 'within the last day'. Thus, each data point only calculates the new compliance checks observed daily. The resulting graph more accurately depicts the change in compliance over the period of 25 days.

VPR Summary – Vulnerability Trending over the last 90 daysThis component contains a trend analysis for each of the VPR levels: low (VPR 0-3.9), medium (VPR 4.0-6.9), high (VPR 7.0-8.9) and critical (VPR 9.0 - 10) over the past 90 days. Each line in the chart uses the Vulnerability Last Observed filter to allow the analysts to observe changes from day to day.  As you move the mouse over the lines, you will see data points, with Vulnerability Last Observed filter the query between the data points will highlight the change from day-to-day.  If the scanning strategy is to scan every 7 days, the graph will show spikes every seven days.  However, if the organization is scanning daily, then a more accurate view of the trend data will be displayed, as the daily changes are shown.

Try for Free Buy Now

Try Tenable.io

FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now
Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 30 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try for Free Contact Sales

Try Tenable Lumin

FREE FOR 30 DAYS

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

Request a demo of Tenable.ot

Get the Operational Technology Security You Need.
Reduce the Risk You Don’t.