CBUAE Cyber Risk and Operational Resilience Framework
Central Bank of the UAE mandatory framework for cyber risk governance, security operations, incident management, and operational resilience for all CBUAE-regulated financial institutions. 14 sections covering governance, risk management, SOC, identity and access management, data protection, application and infrastructure security, cryptography, incident management, security testing, awareness, third-party risk, operational resilience, and regulatory reporting.
AC (18) AT (5) AU (10) CA (8) CM (10) CP (12) IA (10) IR (9) MP (7) PL (6) PM (18) PS (1) PT (8) RA (9) SA (12) SC (16) SI (11) SR (5)
AC Access Control
| Control | Name | CBUAE References |
|---|---|---|
| AC-01 | Access Control Policies and Procedures | CR-4 |
| AC-02 | Account Management | CR-4 |
| AC-03 | Access Enforcement | CR-4 |
| AC-04 | Information Flow Enforcement | CR-4CR-5 |
| AC-05 | Separation Of Duties | CR-4 |
| AC-06 | Least Privilege | CR-4 |
| AC-07 | Unsuccessful Login Attempts | CR-4 |
| AC-08 | System Use Notification | CR-4 |
| AC-10 | Concurrent Session Control | CR-4 |
| AC-11 | Session Lock | CR-4 |
| AC-12 | Session Termination | CR-4 |
| AC-14 | Permitted Actions Without Identification Or Authentication | CR-4 |
| AC-16 | Automated Labeling | CR-5 |
| AC-17 | Remote Access | CR-4 |
| AC-19 | Access Control For Portable And Mobile Devices | CR-4 |
| AC-20 | Use Of External Information Systems | CR-4 |
| AC-23 | Data Mining Protection | CR-5 |
| AC-24 | Access Control Decisions | CR-4 |
AT Awareness and Training
AU Audit and Accountability
| Control | Name | CBUAE References |
|---|---|---|
| AU-02 | Auditable Events | CR-3 |
| AU-03 | Content Of Audit Records | CR-3 |
| AU-04 | Audit Storage Capacity | CR-3 |
| AU-05 | Response To Audit Processing Failures | CR-3 |
| AU-06 | Audit Monitoring, Analysis, And Reporting | CR-3 |
| AU-07 | Audit Reduction And Report Generation | CR-3 |
| AU-08 | Time Stamps | CR-3 |
| AU-09 | Protection Of Audit Information | CR-3 |
| AU-10 | Non-Repudiation | CR-3 |
| AU-12 | Audit Record Generation | CR-3 |
CA Security Assessment and Authorization
| Control | Name | CBUAE References |
|---|---|---|
| CA-01 | Certification, Accreditation, And Security Assessment Policies And Procedures | CR-14 |
| CA-02 | Security Assessments | CR-10CR-14 |
| CA-03 | Information System Connections | CR-14 |
| CA-05 | Plan Of Action And Milestones | CR-14CR-2 |
| CA-06 | Security Accreditation | CR-14 |
| CA-07 | Continuous Monitoring | CR-10CR-14CR-3 |
| CA-08 | Penetration Testing | CR-10 |
| CA-09 | Internal System Connections | CR-10 |
CM Configuration Management
| Control | Name | CBUAE References |
|---|---|---|
| CM-01 | Configuration Management Policy And Procedures | CR-7 |
| CM-02 | Baseline Configuration | CR-7 |
| CM-03 | Configuration Change Control | CR-7 |
| CM-05 | Access Restrictions For Change | CR-7 |
| CM-06 | Configuration Settings | CR-7 |
| CM-07 | Least Functionality | CR-7 |
| CM-08 | Information System Component Inventory | CR-7 |
| CM-09 | Configuration Management Plan | CR-7 |
| CM-12 | Information Location | CR-5 |
| CM-14 | Signed Components | CR-6 |
CP Contingency Planning
| Control | Name | CBUAE References |
|---|---|---|
| CP-01 | Contingency Planning Policy And Procedures | CR-13 |
| CP-02 | Contingency Plan | CR-13 |
| CP-03 | Contingency Training | CR-13 |
| CP-04 | Contingency Plan Testing And Exercises | CR-13 |
| CP-06 | Alternate Storage Site | CR-13 |
| CP-07 | Alternate Processing Site | CR-13 |
| CP-08 | Telecommunications Services | CR-13 |
| CP-09 | Information System Backup | CR-13 |
| CP-10 | Information System Recovery And Reconstitution | CR-13 |
| CP-11 | Alternate Communications Protocols | CR-13 |
| CP-12 | Safe Mode | CR-13 |
| CP-13 | Alternative Security Mechanisms | CR-13 |
IA Identification and Authentication
| Control | Name | CBUAE References |
|---|---|---|
| IA-01 | Identification And Authentication Policy And Procedures | CR-4 |
| IA-02 | User Identification And Authentication | CR-4 |
| IA-03 | Device Identification And Authentication | CR-4 |
| IA-04 | Identifier Management | CR-4 |
| IA-05 | Authenticator Management | CR-4 |
| IA-06 | Authenticator Feedback | CR-4 |
| IA-08 | Identification and Authentication (Non-Organizational Users) | CR-4 |
| IA-09 | Service Identification and Authentication | CR-4 |
| IA-11 | Re-authentication | CR-4 |
| IA-12 | Identity Proofing | CR-4 |
IR Incident Response
| Control | Name | CBUAE References |
|---|---|---|
| IR-01 | Incident Response Policy And Procedures | CR-9 |
| IR-02 | Incident Response Training | CR-9 |
| IR-03 | Incident Response Testing And Exercises | CR-9 |
| IR-04 | Incident Handling | CR-3CR-9 |
| IR-05 | Incident Monitoring | CR-9 |
| IR-06 | Incident Reporting | CR-9 |
| IR-07 | Incident Response Assistance | CR-9 |
| IR-08 | Incident Response Plan | CR-9 |
| IR-09 | Information Spillage Response | CR-9 |
MP Media Protection
PL Planning
PM Program Management
| Control | Name | CBUAE References |
|---|---|---|
| PM-01 | Information Security Program Plan | CR-1 |
| PM-02 | Information Security Program Leadership Role | CR-1 |
| PM-03 | Information Security and Privacy Resources | CR-1 |
| PM-04 | Plan of Action and Milestones Process | CR-14 |
| PM-06 | Measures of Performance | CR-14 |
| PM-08 | Critical Infrastructure Plan | CR-13 |
| PM-09 | Risk Management Strategy | CR-1CR-2 |
| PM-10 | Authorization Process | CR-14 |
| PM-11 | Mission and Business Process Definition | CR-13 |
| PM-13 | Security and Privacy Workforce | CR-1CR-11 |
| PM-14 | Testing, Training, and Monitoring | CR-10 |
| PM-15 | Security and Privacy Groups and Associations | CR-11 |
| PM-16 | Threat Awareness Program | CR-3 |
| PM-28 | Risk Framing | CR-1CR-2 |
| PM-29 | Risk Management Program Leadership Roles | CR-1 |
| PM-30 | Supply Chain Risk Management Strategy | CR-12 |
| PM-31 | Continuous Monitoring Strategy | CR-12 |
| PM-32 | Purposing | CR-12 |
PS Personnel Security
| Control | Name | CBUAE References |
|---|---|---|
| PS-09 | Position Descriptions | CR-1 |
PT Personally Identifiable Information Processing and Transparency
| Control | Name | CBUAE References |
|---|---|---|
| PT-01 | Policy and Procedures | CR-5 |
| PT-02 | Authority to Process Personally Identifiable Information | CR-5 |
| PT-03 | Personally Identifiable Information Processing Purposes | CR-5 |
| PT-04 | Consent | CR-5 |
| PT-05 | Privacy Notice | CR-5 |
| PT-06 | System of Records Notice | CR-5 |
| PT-07 | Specific Categories of Personally Identifiable Information | CR-5 |
| PT-08 | Computer Matching Requirements | CR-5 |
RA Risk Assessment
| Control | Name | CBUAE References |
|---|---|---|
| RA-01 | Risk Assessment Policy And Procedures | CR-2 |
| RA-02 | Security Categorization | CR-2 |
| RA-03 | Risk Assessment | CR-2 |
| RA-04 | Risk Assessment Update | CR-2 |
| RA-05 | Vulnerability Scanning | CR-10CR-7 |
| RA-06 | Technical Surveillance Countermeasures Survey | CR-10 |
| RA-07 | Risk Response | CR-2 |
| RA-09 | Criticality Analysis | CR-10CR-2 |
| RA-10 | Threat Hunting | CR-3 |
SA System and Services Acquisition
| Control | Name | CBUAE References |
|---|---|---|
| SA-03 | Life Cycle Support | CR-6 |
| SA-04 | Acquisitions | CR-12CR-6 |
| SA-08 | Security Engineering Principles | CR-6 |
| SA-09 | External Information System Services | CR-12 |
| SA-10 | Developer Configuration Management | CR-6 |
| SA-11 | Developer Security Testing | CR-6 |
| SA-15 | Development Process, Standards, and Tools | CR-6 |
| SA-16 | Developer-Provided Training | CR-6 |
| SA-17 | Developer Security and Privacy Architecture and Design | CR-6 |
| SA-20 | Customized Development of Critical Components | CR-6 |
| SA-21 | Developer Screening | CR-12CR-6 |
| SA-22 | Unsupported System Components | CR-12 |
SC System and Communications Protection
| Control | Name | CBUAE References |
|---|---|---|
| SC-05 | Denial Of Service Protection | CR-7 |
| SC-07 | Boundary Protection | CR-7 |
| SC-08 | Transmission Integrity | CR-5CR-8 |
| SC-12 | Cryptographic Key Establishment And Management | CR-8 |
| SC-13 | Use Of Cryptography | CR-5CR-8 |
| SC-17 | Public Key Infrastructure Certificates | CR-8 |
| SC-20 | Secure Name / Address Resolution Service (Authoritative Source) | CR-7 |
| SC-21 | Secure Name / Address Resolution Service (Recursive Or Caching Resolver) | CR-7 |
| SC-22 | Architecture And Provisioning For Name / Address Resolution Service | CR-7 |
| SC-24 | Fail in Known State | CR-13 |
| SC-26 | Decoys | CR-3 |
| SC-28 | Protection of Information at Rest | CR-5CR-8 |
| SC-39 | Process Isolation | CR-7 |
| SC-40 | Wireless Link Protection | CR-8 |
| SC-41 | Port and I/O Device Access | CR-7 |
| SC-44 | Detonation Chambers | CR-3 |
SI System and Information Integrity
| Control | Name | CBUAE References |
|---|---|---|
| SI-02 | Flaw Remediation | CR-7 |
| SI-03 | Malicious Code Protection | CR-7 |
| SI-04 | Information System Monitoring Tools And Techniques | CR-3CR-7 |
| SI-07 | Software And Information Integrity | CR-7 |
| SI-10 | Information Accuracy, Completeness, Validity, And Authenticity | CR-6 |
| SI-11 | Error Handling | CR-6 |
| SI-12 | Information Output Handling And Retention | CR-5 |
| SI-13 | Predictable Failure Prevention | CR-13 |
| SI-15 | Information Output Filtering | CR-6 |
| SI-16 | Memory Protection | CR-7 |
| SI-17 | Fail-safe Procedures | CR-13 |