DFSA IT compliance: where to begin?

If your company falls under Dubai Financial Services Authority (DFSA) jurisdiction and you are unsure where to start in achieving IT compliance, Mohammed Hammoudeh, Information Security Specialist at Penta IT Services, may offer a way forward.

The DFSA states that having an effective cyber risk management framework in place is one of the key areas that Dubai International Financial Centre (DIFC) businesses need to protect themselves from cyber risks and achieve DFSA compliance. 

In Penta’s recently published guide on DFSA compliance, some of the main priorities to focus on this year were highlighted. 

What is a cyber risk management framework?

A cyber risk framework is a comprehensive approach to managing cyber risk across an organization. But, as Hammoudeh points out:

“The DFSA does not require regulated firms to follow any particular cyber framework or standard because there is no one-size-fits-all approach. Every DIFC company will have its own characteristics and will need to weigh up the different frameworks with the help of an expert to find the best fit.”

Below Mohammed lists the frameworks suggested by the DSFA and breaks down the advantages and disadvantages of each option:

• The G7 Fundamental Elements for Effective Assessment of Cybersecurity in the financial sector.
• The ISO/IEC 27000 Information Security Management Systems set of standards, which can be applied to all businesses regardless of their size or industry sector.
• The CPMI-IOSCO guidance on cyber resilience for financial market infrastructures, which is more applicable to the parts of the financial system that deal with transactions, including settlement.
• The 18 CIS Critical Security Controls by the Center for Internet Security.
• The NIST Cybersecurity Framework by the National Institute of Standards and Technology.

How do these frameworks compare?

What framework to choose?

The answer to this question will always depend on the requirements and characteristics of the individual company. 

Mohammed Hammoudeh offers the following advice: “it is important to work closely with an expert who fully understands your business, and has in-depth knowledge and experience with the DSFA requirements, and the intricacies of each framework to find the most appropriate path to follow.”

“Whatever framework you choose to adopt, the process of implementation involves the same steps,” adds Hammoudeh.

The steps to implement any cyber risk management framework are:

• Defining the scope and objectives of your cyber risk management framework.
• Identifying and assessing the potential risks to your organization’s critical assets, systems and data.
• Developing policies and procedures for managing and mitigating cyber risks.
• Defining roles and responsibilities for cyber risk management across the organization.
• Establishing a risk management process that includes ongoing risk assessment, risk treatment, and risk communication.
• Developing incident response plans to address potential cyber attacks and data breaches.