Cyberspace supports diverse activities in the United Arab Emirates, including the national economy, national security, public health and safety, cultural and social life.  The evolving information and communications technology of cyberspace provides numerous benefits but is increasingly a target of cyber threats that have the power to disrupt, damage, or destroy critical functions and services that enable our way of life.  Because cyber threats are dynamic, incidents will inevitably occur. However, an effective incident response capability can help minimize the impact of these incidents and reduce the occurrence of other incidents.

The Cyber Incident Response Framework (CIRF) was established and revised in light of the National Cyber Security Strategy, defining how the UAE will prepare for, protect against, detect, respond to, recover from, and continuously learn from cyber incidents.  At the heart of the CIRF are guiding principles, the national cyber response governance model, the incident level schema and management lifecycle, the reporting and information sharing requirements, as well as the monitoring and performance management components that together make up the cyber incident management capability. It is supported by the Cyber Incident Response Plan (CIRP) which further defines the cyber response capability by providing operational details.

The Council has developed this framework to establish a national incident management capability and defining how the UAE will prepare for, protect against, detect, respond to, recover from, and continuously learn from significant cyber incidents; aligned with the UAE’s national priority to be a global leader in cyber security, and enhance the security posture of organizations and individuals within the UAE. 

The Model 

Outlines the roles and responsibilities of the Cyber Security Council, National Cyber Response Group (NCRF), Sector SOCs and CII operators in the national incident response.
 

Integration with UAE National Crisis Management 

Highlights the collaboration between CSC and NCEMA, where CSC shares information on significant cyber incidents and NCEMA supports CSC in managing physical and cyber-related consequences of such incidents.

Outlines national alert schema for conveying information on cyber incidents and their impact levels to CII and Non-CII entities through four alert levels, considering the activity, potential escalation, and impact on response capabilities.

Prepare 

Outliners capabilities (people, processes, technology) for incident response and recovery. It includes preparedness activities and maintaining cyber situational awareness at entity, sector, and national levels.
 

Protect

Emphasizes preventative measures and strategies to protect CII, predict potential incidents, and take actions to safeguard systems from incidents.
 

Detect 

Provides requirements for Identification, validation, and analysis of events to determine incidents, with CII entities playing a key role in early detection and vulnerability awareness.
 

Respond 

Outlines investigative steps to collect and analyze incident evidence, implement containment measures, and support law enforcement in digital evidence handling for prosecution.
 

Recover 

Highlights remediation and restoration activities to return systems to normal, communicating with stakeholders on recovery actions, and ensuring steady-state operations post-incident.
 

Learn and Improve 

Outlines actions for continuous improvement through implementing lessons learned from incidents, minimizing future attacks, and enhancing cybersecurity maturity.

Technical Reporting (Federation) 

Provide hierarchical model for sharing technical cyber incident-related data, from CII entities to sector SOCs and the NSOC, with roles, responsibilities, and timelines defined by the SOC Baseline Framework.
 

Operational Crisis Management 

Provide requirements for maintenance of a Point-of-Contact Network for crisis management during Significant Cyber Incidents, enabling response by connecting relevant stakeholders.
 

International Information Sharing 

Provides policies and procedures for engaging with international partners on cyber incident management, aligned with the CSC’s Information Sharing Framework, and obtaining necessary approvals for international cooperation.