Is your organization based in the United Arab Emirates? If yes, then you need to start complying with new regulations introduced by the National Electronic Security Authority (NESA). Here we’ll summarize what NESA says about data wiping requirements and share 3 steps on how to implement a successful NESA
compliance strategy.
NESA in a Nutshell
- When?
The NESA regulations are already in effect. - What?
The legislation is made up of several regulations – the most relevant being the Information Assurance Standards (IAS). The IAS consists of 188 security controls that all relevant companies and organizations must comply. Objectives of the IAS:
– Strengthen security of UAE cyber assets
– Reduce corresponding risk levels
– Protect critical data infrastructure
– Improve threat awareness - Who?
NESA compliance is mandatory for:
– Government organizations
– Semi-government organizations
– Organizations that are part of the UAE critical infrastructure
What Does NESA Say about Data Wiping?
In short, the regulations state that organizations must securely erase or overwrite sensitive data when it is no longer needed. NESA also recommends that organizations select reliable third-party companies that can help them dispose of data effectively.
- M4.4.2: Return of Assets
“In cases where an employee, contractor, or third-party user purchases the entity’s equipment or uses their own personal equipment, procedures should be followed to ensure that all relevant information is transferred to the entity and securely erased from the equipment.” - T1.4.1: Management of Removable Media
“If no longer required, the contents of any re-usable media that are to be removed from the entity should be made unrecoverable; data wiping software could be used for instance.” - T1.4.2: Disposal of Media
“The entity shall establish procedures for secure disposal of media containing confidential information based on the sensitivity of that information.”
“Media containing confidential information should be stored and disposed of securely and safely, e.g. by incineration or shredding, or erasing data for use by another application within the entity.”
“Many entities offer collection and disposal services for media; care should be taken in selecting a suitable external party with adequate controls and experience.” - T2.3.6: Secure Disposal or Reuse of Equipment
“The entity shall ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal.”
Prepare for NESA Compliance
By following these 3 steps, you can ensure that your organization is able to comply with NESA wiping requirements.
- Understand where your data resides
No matter where your data is saved, it’s your responsibility to know where it is. Keep track of your data flow and build a clear picture of where your information is located, how it’s being accessed, and how it’s being shared. Knowing where your data resides will help you get working faster when you must locate files you need to erase. - Classify and get organized
Once you know where your data resides, it’s crucial to get organized. Begin by building an inventory – arrange your data by importance and level of risk. You should also put someone formally in charge of data protection. This communicates to your customers, and compliance officers, that you are serious about protecting sensitive information. - Use the right tools
What kind of data do you need to erase? Answering this question will help you understand what type of software to use. If you have sensitive data on a computer that’s no longer needed, then you should use software that’s able to wipe your entire hard drive. On the other hand, if you only have an individual file or folder that you must remove, then you could use a tool that allows you to wipe selected data from an active computer.
How Data Wiping Works
The most secure and efficient way to dispose of sensitive information is to securely erase or overwrite it by using data wiping software. Deleting files by normal means is not enough – information saved to a hard drive will leave behind residual data. In order to prevent data from being discovered by file recovery software and accessible to attackers, you can choose to wipe your data and permanently erase your information.
Learn more about securely wiping your data by reading our ultimate guide. You can also find 3 reasons to erase and re-purpose your hard drive here.