Qatar National Information Assurance Policy v2.0
Mandatory information assurance policy for all Qatar government entities and critical infrastructure operators. 11 security domains modeled on ISO 27001 and NIST 800-53 with a 3-tier classification system (Basic, Advanced, Critical). Covers governance, risk management, asset management, HR security, physical security, communications, operations, access control, systems development, incident management, and business continuity.
AC (23) AT (5) AU (15) CA (8) CM (14) CP (13) IA (12) IR (9) MP (8) PE (23) PL (6) PM (18) PS (9) RA (7) SA (15) SC (29) SI (8) SR (7)
AC Access Control
| Control | Name | Qatar NIA References |
|---|---|---|
| AC-01 | Access Control Policies and Procedures | AC |
| AC-02 | Account Management | AC |
| AC-03 | Access Enforcement | AC |
| AC-04 | Information Flow Enforcement | ACCS |
| AC-05 | Separation Of Duties | AC |
| AC-06 | Least Privilege | AC |
| AC-07 | Unsuccessful Login Attempts | AC |
| AC-08 | System Use Notification | AC |
| AC-09 | Previous Logon Notification | AC |
| AC-10 | Concurrent Session Control | AC |
| AC-11 | Session Lock | AC |
| AC-12 | Session Termination | AC |
| AC-13 | Supervision And Review -- Access Control | AC |
| AC-14 | Permitted Actions Without Identification Or Authentication | AC |
| AC-16 | Automated Labeling | ACAM |
| AC-17 | Remote Access | ACCS |
| AC-18 | Wireless Access Restrictions | ACCS |
| AC-19 | Access Control For Portable And Mobile Devices | AC |
| AC-20 | Use Of External Information Systems | ACCS |
| AC-21 | Information Sharing | AC |
| AC-22 | Publicly Accessible Content | AC |
| AC-24 | Access Control Decisions | AC |
| AC-25 | Reference Monitor | AC |
AT Awareness and Training
AU Audit and Accountability
| Control | Name | Qatar NIA References |
|---|---|---|
| AU-01 | Audit And Accountability Policy And Procedures | OS |
| AU-02 | Auditable Events | OS |
| AU-03 | Content Of Audit Records | OS |
| AU-04 | Audit Storage Capacity | OS |
| AU-05 | Response To Audit Processing Failures | OS |
| AU-06 | Audit Monitoring, Analysis, And Reporting | IMOS |
| AU-07 | Audit Reduction And Report Generation | IMOS |
| AU-08 | Time Stamps | OS |
| AU-09 | Protection Of Audit Information | OS |
| AU-10 | Non-Repudiation | OS |
| AU-11 | Audit Record Retention | OS |
| AU-12 | Audit Record Generation | OS |
| AU-13 | Monitoring for Information Disclosure | OS |
| AU-14 | Session Audit | OS |
| AU-16 | Cross-Organizational Audit Logging | OS |
CA Security Assessment and Authorization
| Control | Name | Qatar NIA References |
|---|---|---|
| CA-01 | Certification, Accreditation, And Security Assessment Policies And Procedures | GV |
| CA-02 | Security Assessments | GVOSRMSD |
| CA-03 | Information System Connections | CS |
| CA-05 | Plan Of Action And Milestones | GVRM |
| CA-06 | Security Accreditation | GV |
| CA-07 | Continuous Monitoring | GVOSRM |
| CA-08 | Penetration Testing | OS |
| CA-09 | Internal System Connections | CS |
CM Configuration Management
| Control | Name | Qatar NIA References |
|---|---|---|
| CM-01 | Configuration Management Policy And Procedures | OS |
| CM-02 | Baseline Configuration | OSSD |
| CM-03 | Configuration Change Control | OSSD |
| CM-04 | Monitoring Configuration Changes | OSSD |
| CM-05 | Access Restrictions For Change | OSSD |
| CM-06 | Configuration Settings | OS |
| CM-07 | Least Functionality | OS |
| CM-08 | Information System Component Inventory | AMOS |
| CM-09 | Configuration Management Plan | OS |
| CM-10 | Software Usage Restrictions | OS |
| CM-11 | User-Installed Software | OS |
| CM-12 | Information Location | AMOS |
| CM-13 | Data Action Mapping | AM |
| CM-14 | Signed Components | OSSD |
CP Contingency Planning
| Control | Name | Qatar NIA References |
|---|---|---|
| CP-01 | Contingency Planning Policy And Procedures | BC |
| CP-02 | Contingency Plan | BC |
| CP-03 | Contingency Training | BC |
| CP-04 | Contingency Plan Testing And Exercises | BC |
| CP-05 | Contingency Plan Update | BC |
| CP-06 | Alternate Storage Site | BC |
| CP-07 | Alternate Processing Site | BC |
| CP-08 | Telecommunications Services | BC |
| CP-09 | Information System Backup | BCOS |
| CP-10 | Information System Recovery And Reconstitution | BCOS |
| CP-11 | Alternate Communications Protocols | BC |
| CP-12 | Safe Mode | BC |
| CP-13 | Alternative Security Mechanisms | BC |
IA Identification and Authentication
| Control | Name | Qatar NIA References |
|---|---|---|
| IA-01 | Identification And Authentication Policy And Procedures | AC |
| IA-02 | User Identification And Authentication | AC |
| IA-03 | Device Identification And Authentication | AC |
| IA-04 | Identifier Management | AC |
| IA-05 | Authenticator Management | AC |
| IA-06 | Authenticator Feedback | AC |
| IA-07 | Cryptographic Module Authentication | AC |
| IA-08 | Identification and Authentication (Non-Organizational Users) | AC |
| IA-09 | Service Identification and Authentication | AC |
| IA-10 | Adaptive Authentication | AC |
| IA-11 | Re-authentication | AC |
| IA-12 | Identity Proofing | AC |
IR Incident Response
| Control | Name | Qatar NIA References |
|---|---|---|
| IR-01 | Incident Response Policy And Procedures | IM |
| IR-02 | Incident Response Training | IM |
| IR-03 | Incident Response Testing And Exercises | IM |
| IR-04 | Incident Handling | IM |
| IR-05 | Incident Monitoring | IM |
| IR-06 | Incident Reporting | IM |
| IR-07 | Incident Response Assistance | IM |
| IR-08 | Incident Response Plan | IM |
| IR-09 | Information Spillage Response | IM |
MP Media Protection
PE Physical and Environmental Protection
| Control | Name | Qatar NIA References |
|---|---|---|
| PE-01 | Physical And Environmental Protection Policy And Procedures | PS |
| PE-02 | Physical Access Authorizations | HRPS |
| PE-03 | Physical Access Control | PS |
| PE-04 | Access Control For Transmission Medium | PS |
| PE-05 | Access Control For Display Medium | PS |
| PE-06 | Monitoring Physical Access | PS |
| PE-07 | Visitor Control | PS |
| PE-08 | Access Records | PS |
| PE-09 | Power Equipment And Power Cabling | PS |
| PE-10 | Emergency Shutoff | PS |
| PE-11 | Emergency Power | PS |
| PE-12 | Emergency Lighting | PS |
| PE-13 | Fire Protection | PS |
| PE-14 | Temperature And Humidity Controls | PS |
| PE-15 | Water Damage Protection | PS |
| PE-16 | Delivery And Removal | AMPS |
| PE-17 | Alternate Work Site | PS |
| PE-18 | Location Of Information System Components | PS |
| PE-19 | Information Leakage | PS |
| PE-20 | Asset Monitoring and Tracking | PS |
| PE-21 | Electromagnetic Pulse Protection | PS |
| PE-22 | Component Marking | PS |
| PE-23 | Facility Location | PS |
PL Planning
PM Program Management
| Control | Name | Qatar NIA References |
|---|---|---|
| PM-01 | Information Security Program Plan | GV |
| PM-02 | Information Security Program Leadership Role | GV |
| PM-03 | Information Security and Privacy Resources | GV |
| PM-04 | Plan of Action and Milestones Process | RM |
| PM-05 | System Inventory | AMGV |
| PM-06 | Measures of Performance | GV |
| PM-07 | Enterprise Architecture | GV |
| PM-08 | Critical Infrastructure Plan | BC |
| PM-09 | Risk Management Strategy | GVRM |
| PM-10 | Authorization Process | GV |
| PM-11 | Mission and Business Process Definition | BC |
| PM-13 | Security and Privacy Workforce | GV |
| PM-14 | Testing, Training, and Monitoring | GVIM |
| PM-15 | Security and Privacy Groups and Associations | GV |
| PM-28 | Risk Framing | GVRM |
| PM-30 | Supply Chain Risk Management Strategy | GV |
| PM-31 | Continuous Monitoring Strategy | GV |
| PM-32 | Purposing | GV |
PS Personnel Security
| Control | Name | Qatar NIA References |
|---|---|---|
| PS-01 | Personnel Security Policy And Procedures | HR |
| PS-02 | Position Categorization | HR |
| PS-03 | Personnel Screening | HR |
| PS-04 | Personnel Termination | HR |
| PS-05 | Personnel Transfer | HR |
| PS-06 | Access Agreements | HR |
| PS-07 | Third-Party Personnel Security | HR |
| PS-08 | Personnel Sanctions | HR |
| PS-09 | Position Descriptions | GVHR |
RA Risk Assessment
SA System and Services Acquisition
| Control | Name | Qatar NIA References |
|---|---|---|
| SA-01 | System And Services Acquisition Policy And Procedures | GVSD |
| SA-02 | Allocation Of Resources | GVSD |
| SA-03 | Life Cycle Support | SD |
| SA-04 | Acquisitions | SD |
| SA-05 | Information System Documentation | SD |
| SA-08 | Security Engineering Principles | SD |
| SA-09 | External Information System Services | SD |
| SA-10 | Developer Configuration Management | SD |
| SA-11 | Developer Security Testing | SD |
| SA-15 | Development Process, Standards, and Tools | SD |
| SA-16 | Developer-Provided Training | SD |
| SA-17 | Developer Security and Privacy Architecture and Design | SD |
| SA-20 | Customized Development of Critical Components | SD |
| SA-21 | Developer Screening | SD |
| SA-22 | Unsupported System Components | SD |
SC System and Communications Protection
| Control | Name | Qatar NIA References |
|---|---|---|
| SC-01 | System And Communications Protection Policy And Procedures | CS |
| SC-02 | Application Partitioning | CS |
| SC-03 | Security Function Isolation | CS |
| SC-04 | Information Remnance | AMCS |
| SC-05 | Denial Of Service Protection | CS |
| SC-07 | Boundary Protection | CS |
| SC-08 | Transmission Integrity | CS |
| SC-10 | Network Disconnect | CS |
| SC-11 | Trusted Path | CS |
| SC-12 | Cryptographic Key Establishment And Management | CS |
| SC-13 | Use Of Cryptography | CS |
| SC-15 | Collaborative Computing | CS |
| SC-16 | Transmission Of Security Parameters | CS |
| SC-17 | Public Key Infrastructure Certificates | CS |
| SC-20 | Secure Name / Address Resolution Service (Authoritative Source) | CS |
| SC-21 | Secure Name / Address Resolution Service (Recursive Or Caching Resolver) | CS |
| SC-22 | Architecture And Provisioning For Name / Address Resolution Service | CS |
| SC-23 | Session Authenticity | CS |
| SC-26 | Decoys | CS |
| SC-28 | Protection of Information at Rest | CS |
| SC-32 | System Partitioning | CS |
| SC-36 | Distributed Processing and Storage | CS |
| SC-37 | Out-of-band Channels | CS |
| SC-38 | Operations Security | CS |
| SC-39 | Process Isolation | CS |
| SC-40 | Wireless Link Protection | CS |
| SC-44 | Detonation Chambers | CS |
| SC-46 | Cross Domain Policy Enforcement | CS |
| SC-47 | Alternate Communications Paths | CS |
SI System and Information Integrity
| Control | Name | Qatar NIA References |
|---|---|---|
| SI-02 | Flaw Remediation | OS |
| SI-03 | Malicious Code Protection | OS |
| SI-04 | Information System Monitoring Tools And Techniques | IMOS |
| SI-05 | Security Alerts And Advisories | IMOS |
| SI-07 | Software And Information Integrity | OS |
| SI-08 | Spam Protection | CS |
| SI-13 | Predictable Failure Prevention | BC |
| SI-16 | Memory Protection | OS |