Sky Journal of Business Administration and Management Vol. 1(1), pp. 1 - 9, January, 2013 Available online http://www.skyjournals.

org/SJBAM ISSN 2315-8778 2013 Sky Journals

Full Length Research Paper

Managing data security in the United Arab Emirates

Messaoud Saidani*, Abdussalam Shibani, and Khaled Alawadi
Faculty of Engineering and Computing, Coventry University, United Kingdom (UK)
Accepted 24 January, 2013

United Arab Emirates organizations are embarking onto the technology of world, where the exchange of information is increasingly taking place through electronic means and data is stored electronically, this paper attempts to investigate the need to develop a UAE data security strategy and a detailed framework that can ensure the safety of data and can also cope with all types of disasters expected in the country. The paper also reviews and analyses the types of hazards in the United Arab Emirates. In order to obtain a global view on how organizations in the United Arab Emirates are managing the security of their electronic information, a questionnaire has been designed and distributed with the aim of obtaining a clear understanding of their data security procedures, practices and policies. The research has shown that each organization from the outset should have a set-plan, which has to be periodically analysed, reviewed and modified to keep abreast of the technological advancements and risks in order to protect its electronic data. Key words: Data security (DS), risk management, disaster, information, organizations, data recovery plan (DRP)

INTRODUCTION By the end of 1990s, the UAE witnessed the invasion of IT to the local market. Prior to this, organizations and individuals in the UAE depended on paper for almost all their operations. Banks reports, audits works and correspondences were conducted on paper. Moreover, like all the countries in the region, the UAE dependency on paper changed dramatically in the 1990s when computers became indispensable for individuals and businesses operations. The recent boom in the last couple of years has vast impact on projects pertaining to tourism, real-estate, trading, manufacturing companies focusing on UAE for its middle east operations. The new age of computerization has quickly attracted the UAE government and citizens to computer usage and internet for their operations. The UAE computer users are exposed to incidents where data was not saved or protected from different data hazards. The development recently taking place in the UAE have placed the country among the most growing economies in Asia and perhaps throughout the world. This development is driven by the robust industrial, trade and agricultural growth as well as oil revenues that have led to a total improvement in the UAE IT infrastructure which has become a major target of the UAE Federal Government. Dubai and Abu Dhabi are now among the world's most growing cities. Today computers have been used in all conceivable areas of the work environment. The size of the UAE's information technology and communications market amounted to $2bn in 2007, an increase of 10.1% (AMEInfo, 2008). "The telecoms market is on course to record a compounded annual growth rate of 8.5 per cent to reach Dh27.27 billion from Dh21.68 billion in 2007. By 2009, it is expected to reach Dh29.72 billion" (Issac, 2008). In order to maintain business continuity and secure national and international investments, data security awareness represented by Data Recovery Plan (DRP) must be put in place in order to protect it from humanmade and natural hazards. Environmental hazards expected in the UAE like overheat, floods or earthquakes raise the need to adopt data security plans to safeguard the huge information, and to guarantee a safe-working environment. Man-made hazards are also expected since data is targeted by hackers, intruders, viruses, worms or system failures. Recent statistics have shown that more than 70% of all IT security fraud is internal." No matter how advanced our systems are, we are always vulnerable" Khalfan Al Mazrouei, IT manager of Abu- Dhabi Security Market (ADSM) said (Qadir, 2006). He continued that IT security is essential to the UAE financial markets as the financial sector in particular has always been a target for fraud worldwide. The Internet has given investors an efficient access to financial markets where investors can operate

*Corresponding Author. E-mail: abd_shi2003@hotmail.com.

Sky. J. Bus. Admin. Manage.

with wider and multi-environments; however, it has opened up new opportunities for intruders like hackers to exploit the resources of organizations. Disasters that affected the Middle East region have recently been one of the topics discussed at a conference held in Abu-Dhabi, capital of UAE. Topics such as whether organizations are prepared to deal with future disasters and what sort of plans the country has got to safeguard all data if a disaster strikes etc., were discussed. The co-operation between organizations to initiate a national disaster plan in the country was also one of the issues discussed. "We have the capacity, technology, resources and manpower, but what we don't have yet is the coordination between the different departments and relief agencies" Dr Jamal Alhosani, director of information and communication at the National Crisis and Emergency Management Authority (NCEMA) said (Youssef, 2008). Common hazards in the UAE Data security awareness requires conducting studies about potential hazards in the UAE as a base of data protection and that must be the organizations responsibility. The UAE is prone to many types of hazards. Some of these hazards are natural and some are man-made. Natural disasters include earthquakes, flooding and over-heating, which remains of main natural hazards the throughout its history. Another main type of disasters is man-made disasters that are usually caused by negligent or careless people and workers inside organizations. These hazards might be deliberately or un-deliberately caused by some of the employees of the organization. Deliberate disasters, such as terrorist attacks, arson, and theft of confidential business information, are those intentionally-made by people causing loss of information in an organization. Disgruntled employees are likely to do deliberate actions of hacking information from computers, aiding theft of physical equipment, or setting up fire to office premises. These types of actions occur all over the world and not only in the UAE. Symantec (2006) reports that the current Internet threat atmosphere is on a high alert by an enhance in information leakage, data theft, and the creation of malevolent software written with the aim of stealing secret data that can be used for monetary benefits and revealing information to competing organizations. Another report by Maktoob Business (2007) also states that the UAE has got the latest IT infrastructure, but unfortunately, it is ranked among the 180 countries in the world targeted by frequent online fraudsters activities. Role of Risk Management Not only are the business operations of organizations of great importance to their employees and staff, but they

are also important to customers and partners. The users anticipate an incessant data availability, confidentiality, and authorised access to organizational information (McAnally et al., 2000). The risk managers of big organizations have the major responsibility of protecting information and maintaining competitive advantages to business through data security policies. "This responsibility also maintains, secures the continuity of businesses, and safeguards their commercial image".(British Standard Institution, 1999). It is essential that organizations must ensure that all their data is accurate, available, secure and confidential and its integrity is maintained. A well-defined data security process in an organization enables it to have defined guidelines and procedures that ensure that the data is safe. Also, the data security process assures the organization that its risks are minimized at acceptable and controlled levels. This control process ensures that the risks are at low probabilities and at acceptable levels for the management of the organization. All organizations are fiercely vying in this universal environment to gain high availability of IT resources for their operations. Hence, a disaster whether natural or man-made, can have adverse effects if data is not properly restored for business operations. A natural disaster is one that is caused by Nature such as cyclones, earthquakes or tornadoes. Man-made disasters are caused by man either intentionally or unintentionally, and cause the network or the computer systems to fail (IBM, 2012). Hence, it is a big security and data management concern that the hazards and risks are minimized and brought down to an acceptable level so that organizations could continue their businesses in a usual manner or at a convenient level should a data hazard occur in an organization. It should also be taken into account that data has to be restored prior to the disaster so that the business operations can continue (Glenn, 2002). Thus, the primary goals of data security in an organization is to prioritize its assets, conduct its risk analysis on all assets, and form its data security team. "Today DRP is seen as the active component of business continuity plan which focuses mainly on the recovery of the IT department and all related functions" (Hassim, 2000). The main responsibility of the data risk management team is to prepare a data recovery plan that operates as an integrated process that develops policies, measures procedures to ensure businesses and the disaster preparedness of an organization. These preparedness and processes define the capability of the business firms to perform their tasks in the period of disasters and respond spontaneously to data hazards (Clinch, 2009). Adopting the data recovery plan of the organization, the ways and procedures for data security should adhere to international standards on data security like BS7999, COBIT and ISACA. Thereby, it is essential to ensure that the developed data security plans are consistent,

Saidani et al.

What's your type of business?

Production sector

29%

Services sector

71%
Figure 1. Business type.

comprehensive and following international standards. Furthermore, a variety of data methodologies tend to combine the processes of identifying recovery strategies and gradually implementing them in organizations (British Standard Institution, 1999). Data Recovery is a process of planning, documenting and identifying activities and procedures that enable employees and the entire business to respond immediately to hazards that may cause apparent damage to IT resources. The main authority or responsibility of implementing the data security in the organization rests on the data security manager. The role of the data risk manager in an organization is to steer all employees and the data security management team towards reducing the hazard and to be committed to decision making, strategic planning and evaluation of data risks and hazards. The Data security plan is developed and enhanced by the data security team in the organization and all employees of the organization are instructed to conduct specific tasks when hazards occur. It is very critical that the role of each team, committee or employee must be specific within the plan, and limited to data risk management practices in accordance with hazardous behaviour. A communication policy is one of the major components of a DRP as it ensures that staff are limited to DRP procedures and continually kept informed of the situation, so that they may take the necessary actions (Link Associates international, 2005). Training is an essential part of data recovery planning processes to ensure that employees are self-confident. It should also increase data security awareness and adherence to the correct procedures and processes when employees are carrying out their specific tasks. Training increases the employees insight pertaining to data security procedures as well as their business competence and capabilities. A good data security plan is vital for any organization in order to achieve its objectives, business performance and mission. It should identify the most cost effective ways of performing certain functions, procedures and should

show the best way to present data security procedures when hazards occur. Data collection and analysis via questionnaire In order to give power to the research to get a global view on how organizations in the United Arab Emirates are managing the security of their electronic information, a questionnaire has been designed and distributed to get a clear understanding of their data security procedures, data security practices and policies undertaken regarding data security frameworks and risk plans. Although 70 organizations were targeted in this study, only 35 questionnaires were filled and returned perhaps due to the sensitivity of the subject. The organizations targeted include retail chains, building construction, one steel factory, some charity organizations, hospitals, insurance companies, private universities, airlines and travel agencies. The objective of this study was to investigate the need for developing a data security procedural plan and practices that can cope with all kinds of hazards and potential disasters to ensure the safety and integrity of the data for IT-based organizations. It is worth mentioning that the distribution of the questionnaire took place in April 2008 and was analyzed in September 2008 as part of the researchers dissertation. In this paper, only sample questions from the complete analysis are presented to fulfil the purpose of the questionnaire to the reader. ANALYSIS RESULTS Section 1: About Organizations Production and services sectors organizations across the United Arab Emirates have been covered in this study. Figure 1 illustrates that 71% of the respondents were from organizations classified as services sector, and 29%

Sky. J. Bus. Admin. Manage.

What size is your organization?

BIG

23%

SMALL

31%

MEDIUM

46%
Figure 2. Business size.

Do you have any written plan to secure data in the organization?

NO, 26,

74%
YES, 9,

26%

Figure 3. Plan existence.

were Production sector. Figure 2 shows that organizations of different sizes depending on the number of employees in each of the contacted organizations were also covered in this study. The results obtained show that 46% of the respondents (16 responses) were from organizations classified as medium-sized, 31% as small (11 responses), and 23% (8 responses) as big companies. Among those organizations and as shown in Figure 3, the majority of organizations with 74% (26 responses) did not have any written plan to secure data in their organizations, and only 24% (9 organizations) had some sort of plan to secure data. It was important for this study to ask such a question, since it shows the real situation of these organizations responding to the questionnaire, and checks their preparedness to deal with any hazards which may cause the loss of the organizations data. It is a concerned fact that no written processes exist in these organizations for

identifying, assessing, and reducing data risks to an acceptable level through the development, implementation, and maintenance of written approved organization-wide policies for data security. Therefore, most UAE organizations are not prepared to deal with any kind of disaster, and they are in danger because this unprepared status may lead to losing their data, and the organizations are not paying enough attention to the data security procedures. Section 2: Operating Plans Efficiency This section deals only with 26% (the nine organizations) which have a data security plan in place in order to check the practices and effectiveness of their plans. Figure (4) shows that the majority of organizations 56% of the respondents store 75% of their data in electronic format, while 33% store between 51-75% of their data

Saidani et al.

What is the percentage of data stored in an electronic format in your organization? (Less than 25%) (From 25% to 50%)

0%

11%
(From 51% to 75 %) (Over 75%)

56%

33%
Figure 4. Percentage of electronic data stored.

What kinds of hazards are most expected in your organization?

Man-made only 44% Both 56% Natural only 0%

Figure 5. Expected hazards.

electronically and only 11% store between 25-50% of their data electronically. The questions analyzed in the next two Figures (5 and 6) aim to identify the most common hazards expected in the UAE, their probability of occurrence and the business impact of these hazards. The main purpose was to identify the awareness of the respondents to the data security risks in the UAE, and to check if they frequently face data security hazards, which will help to conclude whether or not the UAE organizations are under risk. Figure 5 shows that 44% of these organizations are afraid of man-made hazards only, whereas the remaining

56% fear the occurrence of both man-made and natural disasters. Figure 6 indicates that all organizations encountered some hazards this year. 56% encountered more than 5 hazards this year and the rest 44% have encountered less than 5 hazards. The above results should enforce strict data security measures within organizations, both technical and operational, in order to protect the sensitive organizational data from hazards. The questions in Table 1 seek to get more details about the organizations plans, only those having plans, in

Sky. J. Bus. Admin. Manage.

How many times have you encountered data security hazards this year?
Not any Les s than 5 times

0%
More than 5 times

44%

56%
Five times

0%
Figure 6. Number of times to encounter data hazards

Table 1. A closer look at DSP for organizations (O =organization).

Where do you store confidential data in your organization? O1 O2 O3 O4 O5 O6 O7 O8 O9 Servers * * * * * * * Computers * * * Portable devices * * The procedures to stop the most aggressive hazard took place . O1 O2 O3 O4 O5 O6 O7 O8 O9 Once the hazard hits * * * * * Before the hazard hits * * * * You could manage to save .of your data after this hazard. O1 O2 O3 O4 O5 O6 O7 O8 O9 All * More than 75 % * * * * * * Between 50% to 75% * * Less than 50% None

terms of procedures and practices to maintain data security. The questions further check the efficiency of the current risk management practices/processes, and highlight how organizations anticipate data security crises and if the risk management knowledge exists within the organization. With the fact that those organizations are operating their data security plans, it is clearly noticed that some plans need to be modified and reviewed to maintain the confidentiality and the security of the data, so that organizations can be ready to deal with any disaster and

avoid any losses of the stored data. From the Table 1, we can conclude the following: i.) While some organizations store their data on servers, other organizations still store their data in portable devices and personal computers, which does not ensure the confidentiality and authenticity of the data and this is considered to be a drawback. ii.) For the most aggressive disaster which each of those organizations experienced, some organizations were prepared and ready to deal with the hazard, while others

Saidani et al.

Importance of Quality Factors related to data security framework

Evaluation of Recovery Plan Hazard control Routine monitoring Security procedures Risk management tools Estimating risks Hazard identification Environm ental analysis Legal requirements Data security policy Risk training program Written Recovery Plan 0% VERY IMPORTANT IMPORTANT 20% AVERAGE 40% 60% 80% 100%

LOW IMPORTANT

NOT IMPORTANT

Figure 7. Framework quality factors.

dealt with the hazard only at the time of its occurrence, which means that they were not ready or prepared to stop the hazard. Having proper plans in place usually helps to minimize and control the hazard. iii.) All organizations experienced some losses of their data except only one of them as a result of a certain hazard, which raises the need to review and modify their plans in order to understand the reasons for the loss and to avoid any future losses. This process of reviewing and evaluating the data security plan should be done periodically and at least once a year due to the dramatic changes in technology and business activities in the country from day to day. Section 3: Quality factors for DS framework All the 35 organizations including those not having any sort of plan responded to this part. This part asks organizations about their perception of some quality factors related to data security framework such as risk training program, having the plan written, estimating risks, security procedures, hazard control and other factors represented in this section. These quality factors play a significant role in studying the impact of data security procedures on organizations. The main focus here lies on attracting the organizations attention on how important these factors are to an organization if they considered them to improve their

existing plans or to develop new plans considering these quality specifications. As it can be clearly seen from Figure (7) that most of the answers are positive, between very important and important, which support those quality factors to be considered and implemented while building a new data security framework within organizations or modifying an existing one. The 35 organizations, including those that do not have a plan in place, realized the importance of those factors as follows: i.) 98% of the answers considered that a written recovery plan is a necessary document to be present for an organization. ii.) Almost 90% of the answers considered the risk training program for staff is an important phase in the data security framework. iii.) 98% of the answers considered implementing the data security policy an important document which should exist in any organization to ensure the safety of the data. iv.) 90% support that the framework must meet the legal requirements in all circumstances. v.) A study focusing on the surrounding environment is supported by 90% of the answers. vi) Security procedures, which are derived from the security policy, are supported by approximately 97% of the answers providing a step by step process to secure data.vii.) Organizations that supported the estimation of

Sky. J. Bus. Admin. Manage.

the risk of 97% as an important factor to be explained when laying out a plan, whereas being able to identify the hazard was supported by 90%. viii.) 80% of the organizations agreed on using some risk management tools as an important part to be considered in the framework. ix.) Monitoring is an important phase in the data security framework, and it is supported by 90% of the answers. x.) Almost 90% support that hazard control techniques should be thought about in advance in the framework. xi.) 97% emphasized the importance of evaluating the plan from time to time as an important process in testing the efficiency of the plan. To conclude, this section shows that the 35 organizations strongly supported the quality factors to be considered and thought about while developing a new data security framework or modifying an existing one. DISCUSSION Organizations need to adopt data security plans covering both managerial and technical aspects in order to protect their own data. As analyzed in section 1, most organizations in UAE do not have any sort of written plan that aims to keep their data protected and not being lost. Therefore, they are not prepared to deal with disasters or even mitigating the data losses if a disaster occurs. In Section 2 it was concluded that some organizations that have data security plans need to review their plans for further modifications to ensure proper security measures and practices. Adopting a-data-security-plan within organizations is an urging matter to be able to deal with hazards and mitigate data losses. As analyzed in section 3, organizations have supported the development of the plan considering some quality factors as minimum requirements. These factors are to have the plan written, risk training program, data security policy, routine monitoring, and legal requirements. Nevertheless, organizations should perform an environmental analysis and be able to estimate the risk, identify hazards, control the hazards, and to evaluate the plan periodically for modification. Conclusion Managing the data security in the United Arab Emirates in this rapidly changing information technology environment all over the world is a Herculean challenge. This dynamic, interconnected workspace requires timely and reliable information to make immediate decisions lest there should be room for failure. Hence, the data security management of an organization has to find efficient and effective strategies to guarantee that they fully understand the information and data security risks affecting their operations, and implement apt controls to

mitigate these risks. The security of organizations data and information assets is indispensable to ascertain and sustain confidence in their customers. This process has to maintain conformity with the legal requirements, and to shield the reputation of the organization. This procedure must be supported by operational and technical security standards to conduct active monitoring and assessments of their security program. The only prerequisite needed for a committed data security plan functioning effectively is strongly confirmed by the organization Board of Directors and the Executive Top management. Future work Based on the necessity to protect data in governmental, Multi-National companies and all UAE firms, the researcher is embarking on developing a data security management framework to meet the needs of UAE based-organizations to protect their organizational data, and this process can be applied not only to the local market, but it can be also applied internationally. This data security management framework will be set to: i.) Provide management with a comprehensive guide on how to create a-data- security-plan. ii.) Implement it as a real action in case some hazardous problem really occurs. iii.) Make a comprehensive appraisal to data security hazards. iv.) Mitigate the data losses resulting from a hazard whether human-made or natural. v.) Educate data security committees about data security issues. The main focus is to safeguard all organizational data and information from accidents, natural disasters or deliberate misuse, theft or intentional theft and to ensure the protection of information resources from accidental or intentional unauthorized access or damage in order to support the mission and vision of an organization.
REFERENCES AMEInfo (2008). "UAEs IT market hits $2bn in 2007", available at: http://www.ameinfo.com/156530.html (accessed 15 May 2008). AMEInfo (2003), "UAE air-conditioning market reports strong growth", available at: http://www.ameinfo.com/31832.html (accessed 17 April 2008). British Standard Institution (1999). Information Security Management: Part 1: Code of Practice for Information Security Management BS 7799-1, British Standards Institution, London. Glenn J (2002). What is business continuity planning? How does it differ from disaster recovery planning?", Disaster Recovery J., 15(1): 14 - 15. Hassim M (2000). To plan or not to plan?", available at: http://www.accountancysa.org.za/archives/1999/1999nov/features/pla n.htm (accessed 16 October 2008). IBM (2012). Consolidated security management for mainframe clouds. Thought Leadership White Paper. Issac J (2008). UAE: Telecoms market to rise 63pc", Khaleej Times

Saidani et al.

Newspaper, 3 July, p. 9. Clinch J (2009). Best management practice. For portfolio, programme, project, risk and service management. Clinch Consulting Link Associates international (2005). Information & Communications Survey Report, Link Associates International, Derby. Maktoob Business (2007). UAE ranks 46th globally as originator of phishing attacks", available at: http://business.maktoob.com (accessed 10 October 2008). McAnally P, DiMartini B, Hakun J, Lindman G, Parker R (2000). "Realtime data availability solutions: does your business have a need for speed?", Disaster Resource Guide, available at: http://www.disasterresource.com/cgi-bin/article_search.cgi?id=22 (accessed 25 June 2008). Qadir J (2006). "IT security crucial to UAE", Khaleej Times Newspaper, 2 July, p.2. Symantec (2006). "Protecting Client Systems from the Crimeware Invasion", available at: http://whitepapers.pcmag.com/whitepaper685/ (accessed 15 August 2008). Youssef M (2008). "UAE needs national plan to deal with disasters", GulfNews, 15 May, pp. 1 - 5.